Back to bug 2218667
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Marco Benatto | 2023-06-29 19:17:06 UTC | CC | jplesnik, mspacek, perl-maint-list | |
| Jitka Plesnikova | 2023-06-30 07:26:32 UTC | CC | vondruch | |
| Marco Benatto | 2023-06-30 14:12:00 UTC | Depends On | 2218904 | |
| Marco Benatto | 2023-06-30 14:12:50 UTC | Depends On | 2218908, 2218906, 2218905, 2218907 | |
| Marco Benatto | 2023-07-03 16:57:06 UTC | Severity | high | medium |
| Priority | high | medium | ||
| Marco Benatto | 2023-07-03 17:02:13 UTC | Doc Text | Perl's CPAN doesn't check TLS certificates when downloading content, this happens because of a missing `verify_SSL` when suing the `HTTP::Tiny` library during the connection. An attacker may leverage that by inject itself into the network path and perform a Man-In-The-Middle attacker, causing confidentiality or integrity issues. | |
| Marco Benatto | 2023-07-03 17:03:44 UTC | Summary | TRIAGE-CVE-2023-31484 perl: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS | CVE-2023-31484 TRIAGE-CVE-2023-31484 perl: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS |
| Alias | TRIAGE-CVE-2023-31484 | CVE-2023-31484 | ||
| Marco Benatto | 2023-07-03 17:03:58 UTC | Summary | CVE-2023-31484 TRIAGE-CVE-2023-31484 perl: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS | CVE-2023-31484 perl: CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS |
| Paige Jung | 2023-07-04 15:20:36 UTC | Doc Text | Perl's CPAN doesn't check TLS certificates when downloading content, this happens because of a missing `verify_SSL` when suing the `HTTP::Tiny` library during the connection. An attacker may leverage that by inject itself into the network path and perform a Man-In-The-Middle attacker, causing confidentiality or integrity issues. | A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues. |
| Red Hat Bugzilla | 2023-07-07 08:35:06 UTC | Assignee | security-response-team | nobody |
Back to bug 2218667