HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Http::tiny | Http::tiny_project | * | 0.083 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | perl-HTTP-Tiny-0:0.074-2.el8 | * |
| Red Hat Enterprise Linux 8.6 Extended Update Support | RedHat | perl-HTTP-Tiny-0:0.074-1.el8_6.1 | * |
| Red Hat Enterprise Linux 8.8 Extended Update Support | RedHat | perl-HTTP-Tiny-0:0.074-1.el8_8.2 | * |
| Red Hat Enterprise Linux 9 | RedHat | perl-HTTP-Tiny-0:0.076-461.el9 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | perl-HTTP-Tiny-0:0.076-461.el9_2 | * |
| Libhttp-tiny-perl | Ubuntu | bionic | * |
| Libhttp-tiny-perl | Ubuntu | devel | * |
| Libhttp-tiny-perl | Ubuntu | esm-apps/bionic | * |
| Libhttp-tiny-perl | Ubuntu | esm-apps/focal | * |
| Libhttp-tiny-perl | Ubuntu | esm-apps/jammy | * |
| Libhttp-tiny-perl | Ubuntu | esm-apps/xenial | * |
| Libhttp-tiny-perl | Ubuntu | focal | * |
| Libhttp-tiny-perl | Ubuntu | jammy | * |
| Libhttp-tiny-perl | Ubuntu | kinetic | * |
| Libhttp-tiny-perl | Ubuntu | lunar | * |
| Libhttp-tiny-perl | Ubuntu | trusty | * |
| Libhttp-tiny-perl | Ubuntu | upstream | * |
| Libhttp-tiny-perl | Ubuntu | xenial | * |
| Perl | Ubuntu | bionic | * |
| Perl | Ubuntu | devel | * |
| Perl | Ubuntu | esm-infra-legacy/trusty | * |
| Perl | Ubuntu | esm-infra/bionic | * |
| Perl | Ubuntu | esm-infra/focal | * |
| Perl | Ubuntu | esm-infra/xenial | * |
| Perl | Ubuntu | focal | * |
| Perl | Ubuntu | jammy | * |
| Perl | Ubuntu | kinetic | * |
| Perl | Ubuntu | lunar | * |
| Perl | Ubuntu | trusty | * |
| Perl | Ubuntu | trusty/esm | * |
| Perl | Ubuntu | upstream | * |
| Perl | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/chansen/p5-http-tiny/pull/153
- https://hackeriet.github.io/cpan-http-tiny-overview/
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- https://www.openwall.com/lists/oss-security/2023/05/03/4
- https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/
- http://www.openwall.com/lists/oss-security/2023/04/29/1
- http://www.openwall.com/lists/oss-security/2023/05/03/3
- http://www.openwall.com/lists/oss-security/2023/05/03/5
- http://www.openwall.com/lists/oss-security/2023/05/07/2
- https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
- https://github.com/chansen/p5-http-tiny/pull/153
- https://hackeriet.github.io/cpan-http-tiny-overview/
- https://security.netapp.com/advisory/ntap-20241129-0011/
- https://www.openwall.com/lists/oss-security/2023/04/18/14
- https://www.openwall.com/lists/oss-security/2023/05/03/4
- https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/