{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-31484", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T14:53:30.804Z", "dateReserved": "2023-04-28T00:00:00", "datePublished": "2023-04-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-21T19:08:14.922685"}, "descriptions": [{"lang": "en", "value": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"}, {"url": "https://github.com/andk/cpanpm/pull/175"}, {"url": "https://metacpan.org/dist/CPAN/changes"}, {"name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"name": "FEDORA-2023-1e5af38524", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"}, {"name": "FEDORA-2023-46924e402a", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-295", "lang": "en", "description": "CWE-295 Improper Certificate Validation"}]}], "affected": [{"vendor": "cpanpm_project", "product": "cpanpm", "cpes": ["cpe:2.3:a:cpanpm_project:cpanpm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.35", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-12T15:22:37.772694Z", "id": "CVE-2023-31484", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:24:40.047Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:53:30.804Z"}, "title": "CVE Program Container", "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14", "tags": ["x_transferred"]}, {"url": "https://github.com/andk/cpanpm/pull/175", "tags": ["x_transferred"]}, {"url": "https://metacpan.org/dist/CPAN/changes", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"name": "FEDORA-2023-1e5af38524", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"}, {"name": "FEDORA-2023-46924e402a", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14", "tags": ["x_transferred"]}, {"url": "https://github.com/andk/cpanpm/pull/175", "tags": ["x_transferred"]}, {"url": "https://metacpan.org/dist/CPAN/changes", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/04/29/1", "name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/03/3", "name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/03/5", "name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/07/2", "name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", "name": "FEDORA-2023-1e5af38524", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", "name": "FEDORA-2023-46924e402a", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:53:30.804Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-31484", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-12T15:22:37.772694Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:cpanpm_project:cpanpm:*:*:*:*:*:*:*:*"], "vendor": "cpanpm_project", "product": "cpanpm", "versions": [{"status": "affected", "version": "0", "lessThan": "2.35", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295 Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T15:24:35.869Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"}, {"url": "https://github.com/andk/cpanpm/pull/175"}, {"url": "https://metacpan.org/dist/CPAN/changes"}, {"url": "http://www.openwall.com/lists/oss-security/2023/04/29/1", "name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/03/3", "name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/03/5", "name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/05/07/2", "name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/", "name": "FEDORA-2023-1e5af38524", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/", "name": "FEDORA-2023-46924e402a", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}], "descriptions": [{"lang": "en", "value": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-06-21T19:08:14.922685"}}}, "cveMetadata": {"cveId": "CVE-2023-31484", "state": "PUBLISHED", "dateUpdated": "2024-08-02T14:53:30.804Z", "dateReserved": "2023-04-28T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-04-28T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cpanpm_project:cpanpm:*:*:*:*:*:*:*:*", "matchCriteriaId": "90D5B630-223B-4035-89FF-84D4BD0D7C32", "versionEndExcluding": "2.35", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", "matchCriteriaId": "00980675-EC82-443D-AFFE-B83E5239DAB9", "versionEndExcluding": "5.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS."}], "id": "CVE-2023-31484", "lastModified": "2024-08-01T13:43:46.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-04-29T00:15:09.000", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/andk/cpanpm/pull/175"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://metacpan.org/dist/CPAN/changes"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0007/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3094", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "perl-CPAN-0:2.18-399.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-05-22T00:00:00Z"}, {"advisory": "RHSA-2023:6539", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "perl-CPAN-0:2.29-3.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}], "bugzilla": {"description": "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS", "id": "2218667", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2218667"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-295", "details": ["CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", "A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues."], "name": "CVE-2023-31484", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-04-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-31484\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-31484"], "threat_severity": "Moderate"}