CVE-2023-31486
Publication date 29 April 2023
Last updated 24 July 2024
Ubuntu priority
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libhttp-tiny-perl | ||
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored end of standard support | |
| perl | ||
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Ignored see notes | |
| 18.04 LTS bionic | Ignored see notes | |
| 16.04 LTS xenial | Ignored see notes | |
| 14.04 LTS trusty | Ignored see notes |
Notes
ccdm94
It seems like upstream will not be fixing this issue due to the large risk that it might break things and in order to maintain backwards compatibility. As per the information available in https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORTIt, HTTP:Tiny aims to not make assumptions about trust models chosen by users, and, therefore, according to the documentation and upstream's position regarding this issue (see p5-http-tiny issues 68 and 134), it is recommended that users set the verify_SSL option in their own code in order to apply certificate verification functionalities to their applications. Due to the risk of this issue introducing regressions and all that has been mentioned up to this point, releases will be marked as ignored.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.1 · High
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- https://github.com/chansen/p5-http-tiny/issues/134
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://hackeriet.github.io/cpan-http-tiny-overview/
- https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- https://www.openwall.com/lists/oss-security/2023/05/03/4
- https://www.cve.org/CVERecord?id=CVE-2023-31486