Description
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.
References (11)
Core 11
Core References
Mitigation, Patch, Third Party Advisory
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
Mailing List, Patch
https://www.openwall.com/lists/oss-security/2023/04/18/14
Mailing List, Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/05/03/4
Issue Tracking
https://www.reddit.com/r/perl/comments/111tadi/psa_httptiny_disabled_ssl_verification_by_default/
Vendor Advisory
https://security.netapp.com/advisory/ntap-20241129-0011/
Mailing List, Patch mailing-list
http://www.openwall.com/lists/oss-security/2023/04/29/1
Mailing List, Patch mailing-list
http://www.openwall.com/lists/oss-security/2023/05/03/3
Mailing List mailing-list
http://www.openwall.com/lists/oss-security/2023/05/03/5
Mailing List, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2023/05/07/2
Scores
CVSS v3
8.1
EPSS
0.0174
EPSS Percentile
74.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (2)
http\/\
< 0.083
perl/perl
< 5.38.0
Published
Apr 29, 2023
Tracked Since
Feb 18, 2026