CVE-2023-31486

Note

It seems like upstream will not be fixing this issue due to the
large risk that it might break things and in order to maintain
backwards compatibility. As per the information available in
https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORTIt, HTTP:Tiny
aims to not make assumptions about trust models chosen by users,
and, therefore, according to the documentation and upstream's
position regarding this issue (see p5-http-tiny issues 68 and
134), it is recommended that users set the verify_SSL option in
their own code in order to apply certificate verification
functionalities to their applications. Due to the risk of this
issue introducing regressions and all that has been mentioned
up to this point, releases will be marked as ignored.

Package	Release	Status
libhttp-tiny-perl Launchpad, Ubuntu, Debian	bionic	Ignored (see notes)
	focal	Ignored (see notes)
	jammy	Ignored (see notes)
	kinetic	Ignored (end of life, was ignored [see notes])
	lunar	Ignored (end of life, was ignored [see notes])
	trusty	Ignored (end of standard support)
	upstream	Needed
	xenial	Ignored (see notes)
perl Launchpad, Ubuntu, Debian	bionic	Ignored (see notes)
	focal	Ignored (see notes)
	jammy	Ignored (see notes)
	kinetic	Ignored (end of life, was ignored [see notes])
	lunar	Ignored (end of life, was ignored [see notes])
	trusty	Ignored (see notes)
	upstream	Needed
	xenial	Ignored (see notes)

Parameter	Value
Base score	8.1
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2023-31486

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading