CVE-2023-31484 – perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS

https://notcve.org/view.php?id=CVE-2023-31484

28 Apr 2023 — CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. A flaw was found in Perl's CPAN, which doesn't check TLS certificates when downloading content. This happens due to `verify_SSL` missing when suing the `HTTP::Tiny` library during the connection. This may allow an attacker to inject into the network path and perform a Man-In-The-Middle attack, causing confidentiality or integrity issues. USN-6112-1 fixed vulnerabilities in Perl. • http://www.openwall.com/lists/oss-security/2023/04/29/1 • CWE-295: Improper Certificate Validation •