Upstream information

CVE-2023-31486 at MITRE

Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
  CNA (CISA-ADP) National Vulnerability Database SUSE
Base Score 8.1 8.1 7.4
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network Network Network
Attack Complexity High High High
Privileges Required None None None
User Interaction None None None
Scope Unchanged Unchanged Unchanged
Confidentiality Impact High High High
Integrity Impact High High High
Availability Impact High High None
CVSSv3 Version 3.1 3.1 3.1

Note from the SUSE Security Team

Currently SUSE does not plan to change the default for perl-HTTP-Tiny, as there is risk of breaking existing applications. Future products will have the default switched to on.

SUSE Bugzilla entry: 1211001 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Liberty Linux 8
  • perl-HTTP-Tiny >= 0.074-2.el8
Patchnames:
RHSA-2023:7174
SUSE Liberty Linux 9
  • perl-HTTP-Tiny >= 0.076-461.el9
Patchnames:
RHSA-2023:6542
SUSE Package Hub 15 SP4
  • perl-HTTP-Tiny >= 0.086-bp154.2.3.1
Patchnames:
openSUSE-2023-222
SUSE Package Hub 15 SP5
  • perl-HTTP-Tiny >= 0.086-bp155.3.3.1
Patchnames:
openSUSE-2023-223
openSUSE Leap 15.4
  • perl-HTTP-Tiny >= 0.086-bp154.2.3.1
Patchnames:
openSUSE-2023-222
openSUSE Leap 15.5
  • perl-HTTP-Tiny >= 0.086-bp155.3.3.1
Patchnames:
openSUSE-2023-223
openSUSE Tumbleweed
  • perl-HTTP-Tiny >= 0.086-1.1
Patchnames:
openSUSE-Tumbleweed-2024-13034


SUSE Timeline for this CVE

CVE page created: Sat Apr 29 04:00:22 2023
CVE page last modified: Sat Jun 21 01:01:56 2025