Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-31486

Publication date 29 April 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

8.1 · High

Score breakdown

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

Read the notes from the security team

Status

Package Ubuntu Release Status
libhttp-tiny-perl 23.04 lunar Ignored end of life, was ignored [see notes]
22.10 kinetic Ignored end of life, was ignored [see notes]
22.04 LTS jammy Ignored see notes
20.04 LTS focal Ignored see notes
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
14.04 LTS trusty Ignored end of standard support
perl 23.04 lunar Ignored end of life, was ignored [see notes]
22.10 kinetic Ignored end of life, was ignored [see notes]
22.04 LTS jammy Ignored see notes
20.04 LTS focal Ignored see notes
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
14.04 LTS trusty Ignored see notes

Notes


ccdm94

It seems like upstream will not be fixing this issue due to the large risk that it might break things and in order to maintain backwards compatibility. As per the information available in https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORTIt, HTTP:Tiny aims to not make assumptions about trust models chosen by users, and, therefore, according to the documentation and upstream's position regarding this issue (see p5-http-tiny issues 68 and 134), it is recommended that users set the verify_SSL option in their own code in order to apply certificate verification functionalities to their applications. Due to the risk of this issue introducing regressions and all that has been mentioned up to this point, releases will be marked as ignored.

Severity score breakdown

Parameter Value
Base score 8.1 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H