CVE-2023-31484

Опубликовано: 29 апр. 2023

Источник: redhat

CVSS3: 7.4

EPSS Низкий

Описание

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to verify_SSL missing when suing the HTTP::Tiny library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 6	perl	Out of support scope
Red Hat Enterprise Linux 7	perl	Affected
Red Hat Enterprise Linux 8	perl-CPAN	Fixed	RHSA-2024:3094	22.05.2024
Red Hat Enterprise Linux 9	perl-CPAN	Fixed	RHSA-2023:6539	07.11.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=2218667perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS

EPSS

Процентиль: 78%

0.01116

Низкий

7.4 High

CVSS3

Связанные уязвимости

CVE-2023-31484

CVSS3: 8.1

ubuntu

больше 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484

CVSS3: 8.1

nvd

больше 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484

CVSS3: 8.1

msrc

2 месяца назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

CVE-2023-31484

CVSS3: 8.1

debian

больше 2 лет назад

CPAN.pm before 2.35 does not verify TLS certificates when downloading ...

SUSE-SU-2023:2882-1

suse-cvrf

больше 2 лет назад

Security update for perl

EPSS

Процентиль: 78%

0.01116

Низкий

7.4 High

CVSS3