CPANSA-libwww-perl-2011-01: libwww-perl vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2011-01-20T00:00:00 | Engine | CSAF Perl Toolkit 0.25 |
| Current release date | 2011-01-20T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | Severity | ||
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.
Vulnerabilities
CVE-2011-0633
Vulnerability DescriptionThe Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
| Weakness | CWE-20 : Improper Input Validation |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| libwww-perl less than 6.00 |
|
Fixed
- libwww-perl greater than or equal 6.00
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-libwww-perl-2011-01 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2011/cpansa-libwww-perl-2011-01.json - http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html external
http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html - http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html external
http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html - CVE-2011-0633 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2011-0633
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Thu Jan 20 00:00:00 2011 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/