CPANSA-HTTP-Tiny-2023-31486: HTTP-Tiny vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2023-02-14T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2023-02-14T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 8.1 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available standalone on CPAN, does not verify TLS certs by default. Users must opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS.
Resulting in a CWE-1188: Insecure Default Initialization of Resource weakness.
Vulnerabilities
CVE-2023-31486
Vulnerability DescriptionHTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
| Weakness | CWE-295 : Improper Certificate Validation |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| HTTP-Tiny less than 0.083 |
|
Fixed
- HTTP-Tiny greater than or equal 0.083
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-HTTP-Tiny-2023-31486 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2023/cpansa-http-tiny-2023-31486.json - https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ external
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ - https://github.com/chansen/p5-http-tiny/issues/152 external
https://github.com/chansen/p5-http-tiny/issues/152 - https://github.com/chansen/p5-http-tiny/pull/151 external
https://github.com/chansen/p5-http-tiny/pull/151 - https://hackeriet.github.io/cpan-http-tiny-overview/ external
https://hackeriet.github.io/cpan-http-tiny-overview/ - https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/ external
https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/ - https://github.com/NixOS/nixpkgs/pull/187480 external
https://github.com/NixOS/nixpkgs/pull/187480 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407 external
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407 - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089 external
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089 - https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92.patch external
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92.patch - https://github.com/chansen/p5-http-tiny/issues/134 external
https://github.com/chansen/p5-http-tiny/issues/134 - https://github.com/chansen/p5-http-tiny/issues/68 external
https://github.com/chansen/p5-http-tiny/issues/68 - CVE-2023-31486 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2023-31486
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue Feb 14 00:00:00 2023 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/