CVE-2011-0633

libwww-perl < 6.00 - Man-in-the-Middle Attack via Incomplete SSL Certificate Validation

Title source: llm
STIX 2.1

Description

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.

Scores

EPSS 0.0425
EPSS Percentile 89.9%

Details

CWE
CWE-20
Status published
Products (50)
gisle_aas/libwww-perl 0.01
gisle_aas/libwww-perl 0.02
gisle_aas/libwww-perl 0.03
gisle_aas/libwww-perl 0.04
gisle_aas/libwww-perl 5.00
gisle_aas/libwww-perl 5.01
gisle_aas/libwww-perl 5.02
gisle_aas/libwww-perl 5.03
gisle_aas/libwww-perl 5.04
gisle_aas/libwww-perl 5.05
... and 40 more
Published May 13, 2011
Tracked Since Feb 18, 2026