[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modu
From:       Stig Palmquist <stig () stig ! io>
Date:       2023-04-29 10:04:07
Message-ID: 20230429100407.3yqdy2vtzokv3t5l () stig ! io
[Download RAW message or body]


- CVE-2023-31484 for CPAN.pm 
- CVE-2023-31485 for GitLab::API::v4 
- CVE-2023-31486 for HTTP::Tiny

On 2023-04-18 17:46, Stig Palmquist wrote:
> HTTP::Tiny v0.082, a Perl core module since v5.13.9 and available
> standalone on CPAN, does not verify TLS certs by default. Users must
> opt-in with the verify_SSL=>1 flag to verify certs when using HTTPS.
> 
> We grepped trough CPAN to find distributions using HTTP::Tiny that
> didn't specify cert verification behaviour, possibly exposing users to
> mitm attacks. Here are some examples with patches:
> 
> - CPAN.pm v2.34 downloads and executes code from https://cpan.org
>   without verifying server certs. Fixed in v2.35-TRIAL.
>   https://github.com/andk/cpanpm/commit/9c98370287f4e709924aee7c58ef21c85289a7f0
> 
> - GitLab::API::v4 v0.26 exposes API secrets to a network attacker.
>   https://github.com/bluefeet/GitLab-API-v4/pull/57
> 
> - Finance::Robinhood v0.21 is maybe exposing API secrets and financial
>   information to a network attacker.
>   https://github.com/sanko/Finance-Robinhood/pull/6
> 
> - Paws (aws-sdk-perl) v0.44 is maybe exposing API secrets to a network
>   attacker.
>   https://github.com/pplu/aws-sdk-perl/pull/426
> 
> - CloudHealth::API v0.01 is maybe exposing API secrets to a network
>   attacker.
>   https://github.com/pplu/cloudhealth-api-perl/pull/2
> 
> ... and more. We have generated a list of over 300 potentially affected
> CPAN distributions.
> 
> More info in our blog post:
> https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
> 
> -- 
> Stig Palmquist <stig@stig.io>

[prev in list] [next in list] [prev in thread] [next in thread]