PT-2023-3597 · Tiny-Http+8 · Tiny-Http+8

Nrdvana

·

Published

2023-04-18

·

Updated

2025-11-12

·

CVE-2023-31486

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions HTTP::Tiny versions prior to 0.083
Description The issue is related to errors in the TLS certificate authentication procedure, allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem stems from an insecure default TLS configuration where users must opt-in to verify certificates, making the HTTP::Tiny module vulnerable to a man-in-the-middle attack. This could enable an attacker to gain access to the communication channel between endpoints, obtaining sensitive information or further compromising the system.
Recommendations For versions prior to 0.083, update to version 0.083 or later to resolve the issue. As a temporary workaround, consider opting in to verify TLS certificates to minimize the risk of exploitation. Restrict access to sensitive information and communication channels to minimize the impact of a potential man-in-the-middle attack.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-1188

Related Identifiers

ALSA-2023:6542
ALSA-2023:7174
ALT-PU-2023-7616
AZL-37127
BDU:2023-03872
CESA-2023_7174
CVE-2023-31486
ECHO-0529-664D-9989
MGASA-2025-0276
OESA-2023-1389
OESA-2023-1390
OESA-2023-1400
OESA-2023-1401
OESA-2023-1487
OPENSUSE-SU-2023:0222-1
OPENSUSE-SU-2023:0223-1
OPENSUSE-SU-2024:13034-1
RHSA-2023:6542
RHSA-2023:7174
RHSA-2023_6542
RHSA-2023_7174
RHSA-2024:0422
RHSA-2024:0579
RHSA-2024:4430
RHSA-2026:7604
ROSA-SA-2024-2471

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Tiny-Http
Ibm Aix
Apple Macos
Red Hat