CVE-2023-31485

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.

*Credits: N/A

CVSS Scores

NISTv3.1 5.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-04-28 CVE Reserved
2023-04-28 CVE Published
2024-08-02 CVE Updated
2024-10-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-295: Improper Certificate Validation

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2023/05/03/5	Mailing List
http://www.openwall.com/lists/oss-security/2023/05/07/2	Mailing List
https://github.com/bluefeet/GitLab-API-v4/pull/57	Issue Tracking
https://github.com/chansen/p5-http-tiny/pull/151	Issue Tracking

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2023/04/29/1	2023-05-08
http://www.openwall.com/lists/oss-security/2023/05/03/3	2023-05-08
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules	2023-05-08
https://www.openwall.com/lists/oss-security/2023/04/18/14	2023-05-08

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gitlab::api::v4 Project Search vendor "Gitlab::api::v4 Project"		Gitlab::api::v4 Search vendor "Gitlab::api::v4 Project" for product "Gitlab::api::v4"				<= 0.26 Search vendor "Gitlab::api::v4 Project" for product "Gitlab::api::v4" and version " <= 0.26"		-		Affected