oss-sec mailing list archives
Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules
From: Reid Sutherland <reid () thirddimension net>
Date: Wed, 3 May 2023 15:15:47 -0400
Who actually decides when something receives a CVE? This can be used to defame projects and products as in this case.
On 4/29/23 06:04, Stig Palmquist wrote:
- CVE-2023-31484 for CPAN.pm - CVE-2023-31485 for GitLab::API::v4 - CVE-2023-31486 for HTTP::Tiny On 2023-04-18 17:46, Stig Palmquist wrote:HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available standalone on CPAN, does not verify TLS certs by default. Users must opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS. We grepped trough CPAN to find distributions using HTTP::Tiny that didn't specify cert verification behaviour, possibly exposing users to mitm attacks. Here are some examples with patches: - CPAN.pm v2.34 downloads and executes code from https://cpan.org without verifying server certs. Fixed in v2.35-TRIAL. https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0 - GitLab::API::v4 v0.26 exposes API secrets to a network attacker. https://github.com/bluefeet/GitLab-API-v4/pull/57 - Finance::Robinhood v0.21 is maybe exposing API secrets and financial information to a network attacker. https://github.com/sanko/Finance-Robinhood/pull/6 - Paws (aws-sdk-perl) v0.44 is maybe exposing API secrets to a network attacker. https://github.com/pplu/aws-sdk-perl/pull/426 - CloudHealth::API v0.01 is maybe exposing API secrets to a network attacker. https://github.com/pplu/cloudhealth-api-perl/pull/2 ... and more. We have generated a list of over 300 potentially affected CPAN distributions. More info in our blog post: https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ -- Stig Palmquist <stig () stig io>
Current thread:
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules, (continued)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Hanno Böck (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Jeffrey Walton (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Matthew Fernandez (Apr 20)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Steffen Nurpmeso (Apr 19)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules David A. Wheeler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Moritz Bechler (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Michael Orlitzky (May 03)
- Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules Reid Sutherland (May 04)