CVE-2014-3230

Name
CVE-2014-3230
Description
The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Mailing List http://www.openwall.com/lists/oss-security/2014/05/04/1
Mailing List http://www.openwall.com/lists/oss-security/2014/05/02/8
Mailing List http://www.openwall.com/lists/oss-security/2014/05/06/8
Broken Link https://github.com/libwww-perl/lwp-protocol-https/pull/14
Exploit https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:lwp\:\:protocol\:\:https_project:lwp\:\:protocol\:\:https:*:*:*:*:*:*:*:* \ >= 6.04 <= 6.06

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
perl-lwp-protocol-https 3.19-main 6.11-r0 Sheila Aman <sheila@vulpine.house> fixed