CVE-2023-31484

Опубликовано: 29 апр. 2023

Источник: nvd

CVSS3: 8.1

EPSS Низкий

Описание

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Ссылки

http://www.openwall.com/lists/oss-security/2023/04/29/1
Mailing List
Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3
Mailing List
Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5
Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2
Mailing List
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
Mitigation
Patch
Third Party Advisory
https://github.com/andk/cpanpm/pull/175
Exploit
Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
https://metacpan.org/dist/CPAN/changes
Release Notes
https://security.netapp.com/advisory/ntap-20240621-0007/
https://www.openwall.com/lists/oss-security/2023/04/18/14
Mailing List
Patch
http://www.openwall.com/lists/oss-security/2023/04/29/1
Mailing List
Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3
Mailing List
Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5
Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2
Mailing List
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
Mitigation
Patch
Third Party Advisory
https://github.com/andk/cpanpm/pull/175
Exploit
Issue Tracking
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
https://metacpan.org/dist/CPAN/changes
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cpanpm_project:cpanpm:*:*:*:*:*:*:*:*

Версия до 2.35 (исключая)

Конфигурация 2

cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*

Версия до 5.38.0 (исключая)

EPSS

Процентиль: 79%

0.01385

Низкий

8.1 High

CVSS3

Дефекты

CWE-295

Связанные уязвимости

CVE-2023-31484

CVSS3: 8.1

ubuntu

около 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484

CVSS3: 7.4

redhat

около 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484

CVSS3: 8.1

debian

около 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading ...

SUSE-SU-2023:2882-1

suse-cvrf

почти 2 года назад

Security update for perl

SUSE-SU-2023:2881-1

suse-cvrf

почти 2 года назад

Security update for perl

EPSS

Процентиль: 79%

0.01385

Низкий

8.1 High

CVSS3

Дефекты

CWE-295