漏洞标题
N/A
漏洞描述信息
在libwww-perl(LWP) 6.00之前,用于WWW::Mechanize、LWP::UserAgent和其他产品的Net::HTTPS模块,在运行在未设置If-SSL-Cert-Subject头的环境时,默认不启用SSL证书的完全验证,这允许远程攻击者通过未正确验证的主机名进行中间人(MITM)攻击,从而伪装服务器。
注意:有人可能会认为,这是Net::HTTPS API的设计限制,为了绕过此限制,应该分别分配CVE编号,而不是在LWP中修改此API。然而,由于此API在LWP中修改,因此分配了一个单一的CVE编号。
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Search.cpan libwww-perl Net::HTTPS模块欺骗漏洞
漏洞描述信息
在WWW::Mechanize,LWP::UserAgent以及其他产品中使用的libwww-perl (LWP) 6.00之前版本,当运行于没有设置If-SSL-Cert-Subject头的环境中时,Net::HTTPS模块不能完全验证默认的SSL证书。远程攻击者可以借助与未被正确验证的主机名有关的中间人攻击,欺骗服务器。
CVSS信息
N/A
漏洞类别
授权问题