oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules

From: Stig Palmquist <stig () stig io>
Date: Tue, 18 Apr 2023 17:46:30 +0200
HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available
standalone on CPAN, does not verify TLS certs by default. Users must
opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS.

We grepped trough CPAN to find distributions using HTTP::Tiny that
didn't specify cert verification behaviour, possibly exposing users to
mitm attacks. Here are some examples with patches:

- CPAN.pm v2.34 downloads and executes code from https://cpan.org
  without verifying server certs. Fixed in v2.35-TRIAL.
  https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0

- GitLab::API::v4 v0.26 exposes API secrets to a network attacker.
  https://github.com/bluefeet/GitLab-API-v4/pull/57

- Finance::Robinhood v0.21 is maybe exposing API secrets and financial
  information to a network attacker.
  https://github.com/sanko/Finance-Robinhood/pull/6

- Paws (aws-sdk-perl) v0.44 is maybe exposing API secrets to a network
  attacker.
  https://github.com/pplu/aws-sdk-perl/pull/426

- CloudHealth::API v0.01 is maybe exposing API secrets to a network
  attacker.
  https://github.com/pplu/cloudhealth-api-perl/pull/2

... and more. We have generated a list of over 300 potentially affected
CPAN distributions.

More info in our blog post:
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/

-- 
Stig Palmquist <stig () stig io>
Previous By Date Next
Previous By Thread Next

Current thread: