2218667 – (CVE-2023-31484) CVE-2023-31484 perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS

Bug 2218667 (CVE-2023-31484) - CVE-2023-31484 perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS

Summary: CVE-2023-31484 perl: CPAN.pm does not verify TLS certificates when downloadin...

Keywords:
Status:	NEW
Alias:	CVE-2023-31484
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2218904 2218905 2218906 2218907 2218908
Blocks:	2192430
TreeView+	depends on / blocked

Reported:	2023-06-29 19:13 UTC by Marco Benatto
Modified:	2024-04-10 13:38 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6539	0	None	None	None	2023-11-07 08:19:14 UTC

Description Marco Benatto 2023-06-29 19:13:16 UTC

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Comment 1 Marco Benatto 2023-06-30 14:12:04 UTC

Created perl tracking bugs for this issue:

Affects: fedora-all [bug 2218904]

Comment 3 Marco Benatto 2023-07-03 16:57:06 UTC

Public commit for this issue in perl upstream:
https://github.com/Perl/perl5/commit/96ea0b9b6169d72ff9a79b49e89d58bbf4f61620

Comment 5 Marco Benatto 2023-07-03 17:04:44 UTC

Public commit for this issue in CPAN.pm upstream:
https://github.com/andk/cpanpm/pull/175/commits/c58b55d0c22c86ec015e694450585b0c23c4750c

Comment 7 errata-xmlrpc 2023-11-07 08:19:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6539 https://access.redhat.com/errata/RHSA-2023:6539

Note You need to log in before you can comment on or make changes to this bug.