CVE-2011-0633

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated.  NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 34%
VendorProductVersion
gisle_aaslibwww-perl
0.01
gisle_aaslibwww-perl
0.02
gisle_aaslibwww-perl
0.03
gisle_aaslibwww-perl
0.04
gisle_aaslibwww-perl
5.00
gisle_aaslibwww-perl
5.01
gisle_aaslibwww-perl
5.02
gisle_aaslibwww-perl
5.03
gisle_aaslibwww-perl
5.04
gisle_aaslibwww-perl
5.05
gisle_aaslibwww-perl
5.06
gisle_aaslibwww-perl
5.07
gisle_aaslibwww-perl
5.08
gisle_aaslibwww-perl
5.09
gisle_aaslibwww-perl
5.10
gisle_aaslibwww-perl
5.11
gisle_aaslibwww-perl
5.12
gisle_aaslibwww-perl
5.13
gisle_aaslibwww-perl
5.14
gisle_aaslibwww-perl
5.15
gisle_aaslibwww-perl
5.16
gisle_aaslibwww-perl
5.17
gisle_aaslibwww-perl
5.18
gisle_aaslibwww-perl
5.18_03:_03
gisle_aaslibwww-perl
5.18_04:_04
gisle_aaslibwww-perl
5.18_05:_05
gisle_aaslibwww-perl
5.19
gisle_aaslibwww-perl
5.20
gisle_aaslibwww-perl
5.21
gisle_aaslibwww-perl
5.22
gisle_aaslibwww-perl
5.30
gisle_aaslibwww-perl
5.31
gisle_aaslibwww-perl
5.32
gisle_aaslibwww-perl
5.33
gisle_aaslibwww-perl
5.34
gisle_aaslibwww-perl
5.35
gisle_aaslibwww-perl
5.36
gisle_aaslibwww-perl
5.41
gisle_aaslibwww-perl
5.42
gisle_aaslibwww-perl
5.43
gisle_aaslibwww-perl
5.44
gisle_aaslibwww-perl
5.45
gisle_aaslibwww-perl
5.46
gisle_aaslibwww-perl
5.47
gisle_aaslibwww-perl
5.48
gisle_aaslibwww-perl
5.49
gisle_aaslibwww-perl
5.50
gisle_aaslibwww-perl
5.51
gisle_aaslibwww-perl
5.52
gisle_aaslibwww-perl
5.53
gisle_aaslibwww-perl
5.53_90:_90
gisle_aaslibwww-perl
5.53_91:_91
gisle_aaslibwww-perl
5.53_92:_92
gisle_aaslibwww-perl
5.53_93:_93
gisle_aaslibwww-perl
5.53_94:_94
gisle_aaslibwww-perl
5.53_95:_95
gisle_aaslibwww-perl
5.53_96:_96
gisle_aaslibwww-perl
5.53_97:_97
gisle_aaslibwww-perl
5.60
gisle_aaslibwww-perl
5.61
gisle_aaslibwww-perl
5.62
gisle_aaslibwww-perl
5.63
gisle_aaslibwww-perl
5.64
gisle_aaslibwww-perl
5.65
gisle_aaslibwww-perl
5.66
gisle_aaslibwww-perl
5.67
gisle_aaslibwww-perl
5.68
gisle_aaslibwww-perl
5.69
gisle_aaslibwww-perl
5.70
gisle_aaslibwww-perl
5.71
gisle_aaslibwww-perl
5.72
gisle_aaslibwww-perl
5.73
gisle_aaslibwww-perl
5.74
gisle_aaslibwww-perl
5.75
gisle_aaslibwww-perl
5.76
gisle_aaslibwww-perl
5.77
gisle_aaslibwww-perl
5.78
gisle_aaslibwww-perl
5.79
gisle_aaslibwww-perl
5.800
gisle_aaslibwww-perl
5.801
gisle_aaslibwww-perl
5.802
gisle_aaslibwww-perl
5.803
gisle_aaslibwww-perl
5.804
gisle_aaslibwww-perl
5.805
gisle_aaslibwww-perl
5.806
gisle_aaslibwww-perl
5.807
gisle_aaslibwww-perl
5.808
gisle_aaslibwww-perl
5.810
gisle_aaslibwww-perl
5.811
gisle_aaslibwww-perl
5.812
gisle_aaslibwww-perl
5.813
gisle_aaslibwww-perl
5.814
gisle_aaslibwww-perl
5.815
gisle_aaslibwww-perl
5.816
gisle_aaslibwww-perl
5.817
gisle_aaslibwww-perl
5.818
gisle_aaslibwww-perl
5.819
gisle_aaslibwww-perl
5.820
gisle_aaslibwww-perl
5.821
gisle_aaslibwww-perl
5.822
gisle_aaslibwww-perl
5.823
gisle_aaslibwww-perl
5.824
gisle_aaslibwww-perl
5.825
gisle_aaslibwww-perl
5.826
gisle_aaslibwww-perl
5.827
gisle_aaslibwww-perl
5.828
gisle_aaslibwww-perl
5.829
gisle_aaslibwww-perl
5.830
gisle_aaslibwww-perl
5.831
gisle_aaslibwww-perl
5.832
gisle_aaslibwww-perl
5.833
gisle_aaslibwww-perl
5.834
gisle_aaslibwww-perl
5.836
search.cpanlibwww-perl
𝑥
≤ 5.837
search.cpanlibwww-perl
5.40_01:_01
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libwww-perl
bullseye
6.52-1
fixed
squeeze
no-dsa
bookworm
6.68-1
fixed
sid
6.77-1
fixed
trixie
6.77-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libwww-perl
oneiric
not-affected
natty
ignored
maverick
ignored
lucid
ignored
hardy
ignored
dapper
ignored
Common Weakness Enumeration
References
http://cpansearch.perl.org/src/GAAS/libwww-perl-6.02/Changes
http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html
http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html
http://cpansearch.perl.org/src/GAAS/libwww-perl-6.02/Changes
http://vttynotes.blogspot.com/2010/12/man-in-middle-fun-with-perl-lwp.html
http://vttynotes.blogspot.com/2011/03/quick-note-on-lwp-and-perl-security-cve.html