CPANSA-IO-Socket-SSL-2010-4334: IO-Socket-SSL vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2011-01-14T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2011-01-14T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | Severity | ||
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote attackers to bypass intended certificate restrictions.
Vulnerabilities
CVE-2010-4334
Vulnerability DescriptionThe IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote attackers to bypass intended certificate restrictions.
| Weakness | CWE-310 : Cryptographic Issues |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| IO-Socket-SSL less than or equal 1.35 |
|
Fixed
- IO-Socket-SSL greater than 1.35
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-IO-Socket-SSL-2010-4334 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2011/cpansa-io-socket-ssl-2010-4334.json - http://osvdb.org/69626 external
http://osvdb.org/69626 - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 external
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 - http://www.securityfocus.com/bid/45189 external
http://www.securityfocus.com/bid/45189 - http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes external
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes - http://secunia.com/advisories/42508 external
http://secunia.com/advisories/42508 - http://secunia.com/advisories/42757 external
http://secunia.com/advisories/42757 - http://www.openwall.com/lists/oss-security/2010/12/09/8 external
http://www.openwall.com/lists/oss-security/2010/12/09/8 - http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html external
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html - http://www.openwall.com/lists/oss-security/2010/12/24/1 external
http://www.openwall.com/lists/oss-security/2010/12/24/1 - http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html external
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html - http://www.mandriva.com/security/advisories?name=MDVSA-2011:092 external
http://www.mandriva.com/security/advisories?name=MDVSA-2011:092 - CVE-2010-4334 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2010-4334
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Fri Jan 14 00:00:00 2011 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/