PT-2014-5152 · Perl+1 · Libwww-Perl+1

Published

2014-05-07

Updated

2024-06-15

CVE-2014-3230

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions libwww-perl LWP::Protocol::https module versions 6.04 through 6.06

Description The issue allows attackers to disable server certificate validation via the HTTPS CA DIR or HTTPS CA FILE environment variable when using IO::Socket::SSL as the SSL socket class.

Recommendations For versions 6.04 through 6.06, consider disabling the use of the HTTPS CA DIR and HTTPS CA FILE environment variables to prevent server certificate validation from being disabled until a patch is available. Restrict access to the environment variables to minimize the risk of exploitation.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CVE-2014-3230

MGASA-2014-0257

OPENSUSE-SU-2024:10239-1

USN-2292-1

Affected Products

Ubuntu

Libwww-Perl

PT-2014-5152 · Perl+1 · Libwww-Perl+1

CVE-2014-3230

Weakness Enumeration

Related Identifiers

Affected Products

References · 24