{
  "threat_severity" : "Moderate",
  "public_date" : "2023-04-18T00:00:00Z",
  "bugzilla" : {
    "description" : "http-tiny: insecure TLS cert default",
    "id" : "2228392",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2228392"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1188",
  "details" : [ "HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.", "A vulnerability was found in Tiny, where a Perl core module and standalone CPAN package, does not verify TLS certificates by default. Users need to explicitly enable certificate verification with the verify_SSL=>1 flag to ensure secure HTTPS connections. This oversight can potentially expose applications to man-in-the-middle (MITM) attacks, where an attacker might intercept and manipulate data transmitted between the client and server." ],
  "statement" : "This vulnerability is rated as a moderate severity because, it does not compromise data or credentials, it exposes users to significant security risks if HTTPS connections are not properly configured.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7174",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "perl-HTTP-Tiny-0:0.074-2.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-01-25T00:00:00Z",
    "advisory" : "RHSA-2024:0422",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.6",
    "package" : "perl-HTTP-Tiny-0:0.074-1.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-01-30T00:00:00Z",
    "advisory" : "RHSA-2024:0579",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.8",
    "package" : "perl-HTTP-Tiny-0:0.074-1.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-11-07T00:00:00Z",
    "advisory" : "RHSA-2023:6542",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "perl-HTTP-Tiny-0:0.076-461.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-07-09T00:00:00Z",
    "advisory" : "RHSA-2024:4430",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "perl-HTTP-Tiny-0:0.076-461.el9_2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "perl-HTTP-Tiny",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "perl:5.30/perl-HTTP-Tiny",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Affected",
    "package_name" : "perl:5.32/perl-HTTP-Tiny",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-31486\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-31486" ],
  "name" : "CVE-2023-31486",
  "csaw" : false
}