CVE-2023-31486

Опубликовано: 18 апр. 2023

Источник: redhat

CVSS3: 8.1

EPSS Низкий

Описание

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server.

Отчет

This vulnerability is rated as a moderate severity because, it does not compromise data or credentials, it exposes users to significant security risks if HTTPS connections are not properly configured.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 7	perl-HTTP-Tiny	Out of support scope
Red Hat Enterprise Linux 8	perl:5.30/perl-HTTP-Tiny	Affected
Red Hat Enterprise Linux 8	perl:5.32/perl-HTTP-Tiny	Affected
Red Hat Enterprise Linux 8	perl-HTTP-Tiny	Fixed	RHSA-2023:7174	14.11.2023
Red Hat Enterprise Linux 8.6 Extended Update Support	perl-HTTP-Tiny	Fixed	RHSA-2024:0422	25.01.2024
Red Hat Enterprise Linux 8.8 Extended Update Support	perl-HTTP-Tiny	Fixed	RHSA-2024:0579	30.01.2024
Red Hat Enterprise Linux 9	perl-HTTP-Tiny	Fixed	RHSA-2023:6542	07.11.2023
Red Hat Enterprise Linux 9.2 Extended Update Support	perl-HTTP-Tiny	Fixed	RHSA-2024:4430	09.07.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-1188

https://bugzilla.redhat.com/show_bug.cgi?id=2228392http-tiny: insecure TLS cert default

EPSS

Процентиль: 73%

0.00785

Низкий

8.1 High

CVSS3

Связанные уязвимости

CVE-2023-31486

CVSS3: 8.1

ubuntu

больше 2 лет назад

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

CVE-2023-31486

CVSS3: 8.1

nvd

больше 2 лет назад

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

CVE-2023-31486

CVSS3: 8.1

msrc

около 2 лет назад

Описание отсутствует

CVE-2023-31486

CVSS3: 8.1

debian

больше 2 лет назад

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available ...

openSUSE-SU-2023:0223-1

suse-cvrf

около 2 лет назад

Security update for perl-HTTP-Tiny

EPSS

Процентиль: 73%

0.00785

Низкий

8.1 High

CVSS3