CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Cpanpm | Cpanpm_project | * | 2.35 (excluding) |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | perl-4:5.16.3-299.el7_9.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | perl-CPAN-0:2.18-399.el8 | * |
| Red Hat Enterprise Linux 9 | RedHat | perl-CPAN-0:2.29-3.el9 | * |
| Perl | Ubuntu | bionic | * |
| Perl | Ubuntu | devel | * |
| Perl | Ubuntu | esm-infra-legacy/trusty | * |
| Perl | Ubuntu | esm-infra/bionic | * |
| Perl | Ubuntu | esm-infra/focal | * |
| Perl | Ubuntu | esm-infra/xenial | * |
| Perl | Ubuntu | focal | * |
| Perl | Ubuntu | jammy | * |
| Perl | Ubuntu | kinetic | * |
| Perl | Ubuntu | lunar | * |
| Perl | Ubuntu | trusty | * |
| Perl | Ubuntu | trusty/esm | * |
| Perl | Ubuntu | upstream | * |
| Perl | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/andk/cpanpm/pull/175
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
- https://metacpan.org/dist/CPAN/changes
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/andk/cpanpm/pull/175
- https://lists.debian.org/debian-lts-announce/2024/10/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
- https://metacpan.org/dist/CPAN/changes
- https://security.netapp.com/advisory/ntap-20240621-0007/
- https://www.openwall.com/lists/oss-security/2023/04/18/14