The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
[
{
"product": "LWP::Protocol::https",
"vendor": "libwww-perl",
"versions": [
{
"status": "affected",
"version": "6.04 through 6.06"
}
]
}
]