{
  "threat_severity" : "Moderate",
  "public_date" : "2023-04-29T00:00:00Z",
  "bugzilla" : {
    "description" : "perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS",
    "id" : "2218667",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2218667"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS.", "A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-01-05T00:00:00Z",
    "advisory" : "RHSA-2026:0079",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "perl-4:5.16.3-299.el7_9.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3094",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "perl-CPAN-0:2.18-399.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6539",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "perl-CPAN-0:2.29-3.el9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-31484\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-31484" ],
  "name" : "CVE-2023-31484",
  "csaw" : false
}