CVE-2011-0633 - Vulnerability Details

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00137.

Key SSVC decision points have not yet been added.

Vendors	Products
Gisle Aas Subscribe	Libwww-perl Subscribe
Search.cpan Subscribe	Libwww-perl Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:gisle_aas:libwww-perl:0.01:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:0.02:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:0.03:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:0.04:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.00:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.01:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.02:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.03:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.04:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.05:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.06:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.07:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.08:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.09:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.10:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.11:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.12:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.13:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.14:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.15:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.16:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.17:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.18:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.18_03:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.18_04:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.18_05:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.19:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.20:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.21:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.22:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.30:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.31:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.32:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.33:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.34:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.35:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.36:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.41:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.42:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.43:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.44:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.45:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.46:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.47:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.48:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.49:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.50:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.51:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.52:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_90:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_91:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_92:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_93:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_94:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_95:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_96:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.53_97:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.60:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.61:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.62:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.63:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.64:::::::*
	cpe:2.3:a:gisle_aas:libwww-perl:5.65:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.66:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.67:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.68:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.69:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.70:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.71:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.72:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.73:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.74:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.75:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.76:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.77:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.78:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.79:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.800:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.801:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.802:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.803:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.804:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.805:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.806:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.807:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.808:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.810:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.811:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.812:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.813:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.814:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.815:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.816:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.817:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.818:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.819:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.820:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.821:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.822:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.823:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.824:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.825:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.826:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.827:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.828:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.829:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.830:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.831:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.832:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.833:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.834:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5.836:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b5:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b6:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b7:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b8:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b9:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b10:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b11:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b12:::::::*
cpe:2.3:a:gisle_aas:libwww-perl:5b13:::::::*
cpe:2.3:a:search.cpan:libwww-perl::::::::
cpe:2.3:a:search.cpan:libwww-perl:5.40_01:::::::*

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2011-0651	The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://cpansearch.perl.org/src/GAAS/libwww-perl-6.02/Changes
http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html
http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html
https://nvd.nist.gov/vuln/detail/CVE-2011-0633
https://www.cve.org/CVERecord?id=CVE-2011-0633

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2011-05-13T22:00:00Z

Updated: 2024-09-16T17:53:46.874Z

Reserved: 2011-01-20T00:00:00Z

Link: CVE-2011-0633

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2011-05-13T22:55:01.610

Modified: 2025-04-11T00:51:21.963

Link: CVE-2011-0633

Redhat

Severity : Moderate

Publid Date: 2011-03-08T00:00:00Z

Links: CVE-2011-0633 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-20

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Projects

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object