{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-31486", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T14:53:30.817Z", "dateReserved": "2023-04-28T00:00:00", "datePublished": "2023-04-28T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-06-20T00:00:00"}, "descriptions": [{"lang": "en", "value": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"}, {"url": "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/"}, {"url": "https://hackeriet.github.io/cpan-http-tiny-overview/"}, {"name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"url": "https://www.openwall.com/lists/oss-security/2023/05/03/4"}, {"name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"url": "https://github.com/chansen/p5-http-tiny/pull/153"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:53:30.817Z"}, "title": "CVE Program Container", "references": [{"url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/04/18/14", "tags": ["x_transferred"]}, {"url": "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/", "tags": ["x_transferred"]}, {"url": "https://hackeriet.github.io/cpan-http-tiny-overview/", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230429 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"name": "[oss-security] 20230503 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"url": "https://www.openwall.com/lists/oss-security/2023/05/03/4", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230507 Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"url": "https://github.com/chansen/p5-http-tiny/pull/153", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:http\\:\\:tiny_project:http\\:\\:tiny:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9427A16-49FA-4E66-9641-A9CC9CA57222", "versionEndExcluding": "0.083", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*", "matchCriteriaId": "00980675-EC82-443D-AFFE-B83E5239DAB9", "versionEndExcluding": "5.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates."}], "id": "CVE-2023-31486", "lastModified": "2023-06-21T18:19:52.937", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-29T00:15:09.083", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2023/04/29/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/3"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/05/03/5"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/05/07/2"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Patch", "Third Party Advisory"], "url": "https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/chansen/p5-http-tiny/pull/153"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://hackeriet.github.io/cpan-http-tiny-overview/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Patch"], "url": "https://www.openwall.com/lists/oss-security/2023/04/18/14"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2023/05/03/4"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7174", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "perl-HTTP-Tiny-0:0.074-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-11-14T00:00:00Z"}, {"advisory": "RHSA-2024:0422", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "perl-HTTP-Tiny-0:0.074-1.el8_6.1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-25T00:00:00Z"}, {"advisory": "RHSA-2024:0579", "cpe": "cpe:/o:redhat:rhel_eus:8.8", "package": "perl-HTTP-Tiny-0:0.074-1.el8_8.2", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-30T00:00:00Z"}, {"advisory": "RHSA-2023:6542", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "perl-HTTP-Tiny-0:0.076-461.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:4430", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "perl-HTTP-Tiny-0:0.076-461.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-07-09T00:00:00Z"}], "bugzilla": {"description": "http-tiny: insecure TLS cert default", "id": "2228392", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228392"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-1188", "details": ["HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", "A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server."], "name": "CVE-2023-31486", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "perl-HTTP-Tiny", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "perl:5.30/perl-HTTP-Tiny", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "perl:5.32/perl-HTTP-Tiny", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2023-04-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-31486\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-31486"], "statement": "This vulnerability is rated as a moderate severity because, it does not compromise data or credentials, it exposes users to significant security risks if HTTPS connections are not properly configured.", "threat_severity": "Moderate", "upstream_fix": "HTTP-Tiny 0.083-TRIAL"}