What is CVE-2023-31484?

CVE-2023-31484 is a high-severity software vulnerability (CWE-295) with a CVSS score of 8.1. CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Is CVE-2023-31484 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 2%.

What products does CVE-2023-31484 affect?

Tracked products affected include Perl. Check the version you run to see whether it is affected.

How do I fix CVE-2023-31484?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2023-31484

HIGH severity · CVSS 8.1 · CWE-295

8.1CVSS HIGH

Summary

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)2%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Perl

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: http://www.openwall.com/lists/oss-security/2023/04/29/1 ↗

Additional information

NVD record
http://www.openwall.com/lists/oss-security/2023/04/29/1Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3Patch
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5
http://www.openwall.com/lists/oss-security/2023/05/07/2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BM6UW55CNFUTNGD5ZRKGUKKKFDJGMFHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LEGCEOKFJVBJ2QQ6S2H4NAEWTUERC7SB/
https://github.com/andk/cpanpm/pull/175Exploit