Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:45061
HistoryJan 15, 2024 - 11:23 a.m.

Improper Certificate Validation

2024-01-1511:23:55
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
15
cpan.pm vulnerability
improper certificate validation
tls certificates
http::tiny library
man-in-the-middle attack
confidentiality
integrity issues

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

EPSS

0.005

Percentile

75.5%

CPAN.pm is vulnerable to Improper Certificate Validation. The vulnerability is caused due to not verifying TLS certificates when downloading distributions over HTTPS because verify_ssl is missing when using HTTP::Tiny library during the connection. This can allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues.

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.5

Confidence

Low

EPSS

0.005

Percentile

75.5%