4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
57.4%
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in
WWW::Mechanize, LWP::UserAgent, and other products, when running in
environments that do not set the If-SSL-Cert-Subject header, does not
enable full validation of SSL certificates by default, which allows remote
attackers to spoof servers via man-in-the-middle (MITM) attacks involving
hostnames that are not properly validated. NOTE: it could be argued that
this is a design limitation of the Net::HTTPS API, and separate
implementations should be independently assigned CVE identifiers for not
working around this limitation. However, because this API was modified
within LWP, a single CVE identifier has been assigned.
Author | Note |
---|---|
tyhicks | https support moved to liblwp-protocol-https-perl package in Oneiric Mitre description suggests that only CN checking is skipped by default, while the Red Hat bugzilla suggests that possibly no cert checks are done by default. Testing needed to be sure. |
mdeslaur | hardyโs libio-socket-ssl-perl doesnโt validate certs at all, so we canโt just fix libwww-perl. Not many reverse dependencies in main seem to use https, and introducing this into a stable release may cause disruptions for systems using munin, custom code, or some other packages. We are not going to fix this issue in stable releases. If certificate validation is required, we suggest moving to oneiric or newer, or using a backported libwww-perl package. |