[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From: Demi Marie Obenour <demi () invisiblethingslab ! com>
Date: 2023-04-19 14:18:27
Message-ID: ZD/4ODBjTesPMECg () itl-email
[Download RAW message or body]
On Tue, Apr 18, 2023 at 05:46:30PM +0200, Stig Palmquist wrote:
> HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available
> standalone on CPAN, does not verify TLS certs by default. Users must
> opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS.
>
> We grepped trough CPAN to find distributions using HTTP::Tiny that
> didn't specify cert verification behaviour, possibly exposing users to
> mitm attacks. Here are some examples with patches:
>
> - CPAN.pm v2.34 downloads and executes code from https://cpan.org
> without verifying server certs. Fixed in v2.35-TRIAL.
> https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0
>
> - GitLab::API::v4 v0.26 exposes API secrets to a network attacker.
> https://github.com/bluefeet/GitLab-API-v4/pull/57
>
> - Finance::Robinhood v0.21 is maybe exposing API secrets and financial
> information to a network attacker.
> https://github.com/sanko/Finance-Robinhood/pull/6
>
> - Paws (aws-sdk-perl) v0.44 is maybe exposing API secrets to a network
> attacker.
> https://github.com/pplu/aws-sdk-perl/pull/426
>
> - CloudHealth::API v0.01 is maybe exposing API secrets to a network
> attacker.
> https://github.com/pplu/cloudhealth-api-perl/pull/2
>
> ... and more. We have generated a list of over 300 potentially affected
> CPAN distributions.
>
> More info in our blog post:
> https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
IMO this is an HTTP::Tiny vulnerability.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic