CPANSA-CPAN-2023-31484: CPAN vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2023-02-28T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2023-02-28T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	8.1	Severity
Original language		Language	en
Also referred to

Vulnerability Description

The verify_SSL flag is missing from HTTP::Tiny, and allows a network attacker to MITM the connection if it is used by the CPAN client

Vulnerabilities

CVE-2023-31484

Vulnerability Description

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Weakness	CWE-295 : Improper Certificate Validation

Product status

Known affected

Product

Score

CPAN less than 2.35

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	8.1	High

Fixed

CPAN greater than or equal 2.35

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-CPAN-2023-31484 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2023/cpansa-cpan-2023-31484.json
https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 external
https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ external
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
https://github.com/andk/cpanpm/pull/175 external
https://github.com/andk/cpanpm/pull/175
https://www.openwall.com/lists/oss-security/2023/04/18/14 external
https://www.openwall.com/lists/oss-security/2023/04/18/14
CVE-2023-31484 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2023-31484

Revision history

Version	Date of the revision	Summary of the revision
1	Tue Feb 28 00:00:00 2023	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/