Upstream information
Description
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CNA (CISA-ADP) | National Vulnerability Database | SUSE | |
|---|---|---|---|
| Base Score | 8.1 | 8.1 | 7.4 |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network | Network | Network |
| Attack Complexity | High | High | High |
| Privileges Required | None | None | None |
| User Interaction | None | None | None |
| Scope | Unchanged | Unchanged | Unchanged |
| Confidentiality Impact | High | High | High |
| Integrity Impact | High | High | High |
| Availability Impact | High | High | None |
| CVSSv3 Version | 3.1 | 3.1 | 3.1 |
Note from the SUSE Security Team
Currently SUSE does not plan to change the default for perl-HTTP-Tiny, as there is risk of breaking existing applications. Future products will have the default switched to on. SUSE Bugzilla entry: 1211001 [NEW]SUSE Security Advisories:
- openSUSE-SU-2023:0222-1, published Tue Aug 15 18:44:57 2023
- openSUSE-SU-2023:0223-1, published Tue Aug 15 18:44:57 2023
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| SUSE Liberty Linux 8 |
| Patchnames: RHSA-2023:7174 |
| SUSE Liberty Linux 9 |
| Patchnames: RHSA-2023:6542 |
| SUSE Package Hub 15 SP4 |
| Patchnames: openSUSE-2023-222 |
| SUSE Package Hub 15 SP5 |
| Patchnames: openSUSE-2023-223 |
| openSUSE Leap 15.4 |
| Patchnames: openSUSE-2023-222 |
| openSUSE Leap 15.5 |
| Patchnames: openSUSE-2023-223 |
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-13034 |
SUSE Timeline for this CVE
CVE page created: Sat Apr 29 04:00:22 2023CVE page last modified: Sat Jun 21 01:01:56 2025