GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gitlab::api::v4 | Gitlab::api::v4_project | * | 0.26 (including) |
| Libgitlab-api-v4-perl | Ubuntu | bionic | * |
| Libgitlab-api-v4-perl | Ubuntu | esm-apps/bionic | * |
| Libgitlab-api-v4-perl | Ubuntu | esm-infra/focal | * |
| Libgitlab-api-v4-perl | Ubuntu | focal | * |
| Libgitlab-api-v4-perl | Ubuntu | jammy | * |
| Libgitlab-api-v4-perl | Ubuntu | kinetic | * |
| Libgitlab-api-v4-perl | Ubuntu | lunar | * |
| Libgitlab-api-v4-perl | Ubuntu | mantic | * |
| Libgitlab-api-v4-perl | Ubuntu | trusty | * |
| Libgitlab-api-v4-perl | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/bluefeet/GitLab-API-v4/pull/57
- https://github.com/chansen/p5-http-tiny/pull/151
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/bluefeet/GitLab-API-v4/pull/57
- https://github.com/chansen/p5-http-tiny/pull/151
- https://www.openwall.com/lists/oss-security/2023/04/18/14