PT-2023-3596 · Cpan.Pm+13 · Cpan.Pm+13

Stig Palmquist

·

Published

2023-02-28

·

Updated

2025-11-12

·

CVE-2023-31484

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions CPAN.pm versions prior to 2.35
Description The issue is related to errors in the TLS certificate authentication procedure, which can allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem stems from the failure to verify TLS certificates when downloading distributions over HTTPS. This can lead to a man-in-the-middle attack, where an attacker could gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
Recommendations For versions prior to 2.35, update to version 2.35 or later to resolve the issue. As a temporary workaround, consider disabling the use of HTTPS for distribution downloads until a patch is available. Restrict access to sensitive information and communication channels to minimize the risk of exploitation.

Exploit

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

ALSA-2023:6539
ALSA-2024:3094
ALT-PU-2023-7616
AZL-37126
BDU:2023-03871
CESA-2024_3094
CVE-2023-31484
DLA-3926-1
ECHO-0985-0297-4BA8
INFSA-2023_6539
INFSA-2024_3094
MGASA-2025-0274
MGASA-2025-0276
OESA-2023-1287
OESA-2023-1420
RHSA-2023:6539
RHSA-2023_6539
RHSA-2024:3094
RHSA-2024_3094
RHSA-2026:0079
RHSA-2026:7604
RLSA-2023:6539
SUSE-SU-2023:2881-1
SUSE-SU-2023:2882-1
SUSE-SU-2023_2882-1
SUSE-SU-2024:1630-1
USN-6112-1
USN-6112-2

Affected Products

Alt Linux
Almalinux
Astra Linux
Cpan.Pm
Centos
Debian
Ibm Aix
Linuxmint
Apple Macos
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu