CVE-2023-31485

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-31485
GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.

5.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
http://www.openwall.com/lists/oss-security/2023/04/29/1 Mailing List Patch
http://www.openwall.com/lists/oss-security/2023/05/03/3 Mailing List Patch
http://www.openwall.com/lists/oss-security/2023/05/03/5 Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2 Mailing List
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ Mitigation Patch Third Party Advisory
https://github.com/bluefeet/GitLab-API-v4/pull/57 Issue Tracking
https://github.com/chansen/p5-http-tiny/pull/151 Issue Tracking
https://www.openwall.com/lists/oss-security/2023/04/18/14 Mailing List Patch
Configurations

Configuration 1 (hide)

cpe:2.3:a:gitlab\:\:api\:\:v4_project:gitlab\:\:api\:\:v4:*:*:*:*:*:*:*:*
History

08 May 2023, 17:07

Type Values Removed Values Added
CWE CWE-295
CPE cpe:2.3:a:gitlab\:\:api\:\:v4_project:gitlab\:\:api\:\:v4:*:*:*:*:*:*:*:*
References (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/3 - (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/3 - Mailing List, Patch
References (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/5 - (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/5 - Mailing List
References (MLIST) http://www.openwall.com/lists/oss-security/2023/05/07/2 - (MLIST) http://www.openwall.com/lists/oss-security/2023/05/07/2 - Mailing List
References (MISC) https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ - (MISC) https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/ - Mitigation, Patch, Third Party Advisory
References (MISC) https://github.com/chansen/p5-http-tiny/pull/151 - (MISC) https://github.com/chansen/p5-http-tiny/pull/151 - Issue Tracking
References (MLIST) http://www.openwall.com/lists/oss-security/2023/04/29/1 - (MLIST) http://www.openwall.com/lists/oss-security/2023/04/29/1 - Mailing List, Patch
References (MISC) https://github.com/bluefeet/GitLab-API-v4/pull/57 - (MISC) https://github.com/bluefeet/GitLab-API-v4/pull/57 - Issue Tracking
References (MISC) https://www.openwall.com/lists/oss-security/2023/04/18/14 - (MISC) https://www.openwall.com/lists/oss-security/2023/04/18/14 - Mailing List, Patch
First Time Gitlab\
Gitlab\ \
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.9

08 May 2023, 00:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2023/05/07/2 -

04 May 2023, 00:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/5 -

03 May 2023, 21:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2023/05/03/3 -

01 May 2023, 10:39

Type Values Removed Values Added
New CVE
Information

Published : 2023-04-29 00:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-31485

Mitre link : CVE-2023-31485

CVE.ORG link : CVE-2023-31485

JSON object : View

Products Affected

gitlab\

  • \
CWE
CWE-295

Improper Certificate Validation