Certificate Validation Bypass in Perl's HTTPS Module
CVE-2014-3230

5.9MEDIUM

Key Information:

Vendor

Libwww-perl

Status
LWP::protocol::https
Vendor
CVE Published:
28 January 2020

What is CVE-2014-3230?

The libwww-perl LWP::Protocol::https module versions 6.04 to 6.06 for Perl, when configured to use IO::Socket::SSL as the SSL socket class, presents a significant security risk. Attackers can exploit this vulnerability to disable server certificate validation by manipulating the environment variables HTTPS_CA_DIR or HTTPS_CA_FILE. This exploit could potentially lead to man-in-the-middle attacks, allowing unauthorized access to sensitive data during HTTPS communications. It is essential for users of this module to apply security patches and adopt secure configuration practices to mitigate this risk.

Affected Version(s)

LWP::Protocol::https 6.04 through 6.06

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
x_refsource_MISC
https://github.com/libwww-perl/lwp-protocol-https/pull/14
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2014/05/02/8
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.