Описание
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to verify_SSL missing when suing the HTTP::Tiny library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | perl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | perl | Affected | ||
| Red Hat Enterprise Linux 8 | perl-CPAN | Fixed | RHSA-2024:3094 | 22.05.2024 |
| Red Hat Enterprise Linux 9 | perl-CPAN | Fixed | RHSA-2023:6539 | 07.11.2023 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-295
https://bugzilla.redhat.com/show_bug.cgi?id=2218667perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS
7.4 High
CVSS3
Связанные уязвимости
CVSS3: 8.1
ubuntu
около 2 лет назад
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVSS3: 8.1
nvd
около 2 лет назад
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
CVSS3: 8.1
debian
около 2 лет назад
CPAN.pm before 2.35 does not verify TLS certificates when downloading ...
7.4 High
CVSS3