CVE-2011-0633
Last modified
CVE-2011-0633 is a vulnerability of currently unknown severity. The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. EPSS estimates a 4.25% chance of exploitation in the next 30 days.
Description
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gisle Aas | Libwww-Perl | 0.01 |
| Gisle Aas | Libwww-Perl | 0.02 |
| Gisle Aas | Libwww-Perl | 0.03 |
| Gisle Aas | Libwww-Perl | 0.04 |
| Gisle Aas | Libwww-Perl | 5.00 |
| Gisle Aas | Libwww-Perl | 5.01 |
| Gisle Aas | Libwww-Perl | 5.02 |
| Gisle Aas | Libwww-Perl | 5.03 |
| Gisle Aas | Libwww-Perl | 5.04 |
| Gisle Aas | Libwww-Perl | 5.05 |
| Gisle Aas | Libwww-Perl | 5.06 |
| Gisle Aas | Libwww-Perl | 5.07 |
| Gisle Aas | Libwww-Perl | 5.08 |
| Gisle Aas | Libwww-Perl | 5.09 |
| Gisle Aas | Libwww-Perl | 5.10 |
| Gisle Aas | Libwww-Perl | 5.11 |
| Gisle Aas | Libwww-Perl | 5.12 |
| Gisle Aas | Libwww-Perl | 5.13 |
| Gisle Aas | Libwww-Perl | 5.14 |
| Gisle Aas | Libwww-Perl | 5.15 |
| Gisle Aas | Libwww-Perl | 5.16 |
| Gisle Aas | Libwww-Perl | 5.17 |
| Gisle Aas | Libwww-Perl | 5.18 |
| Gisle Aas | Libwww-Perl | 5.18_03 |
| Gisle Aas | Libwww-Perl | 5.18_04 |
| Gisle Aas | Libwww-Perl | 5.18_05 |
| Gisle Aas | Libwww-Perl | 5.19 |
| Gisle Aas | Libwww-Perl | 5.20 |
| Gisle Aas | Libwww-Perl | 5.21 |
| Gisle Aas | Libwww-Perl | 5.22 |
| Gisle Aas | Libwww-Perl | 5.30 |
| Gisle Aas | Libwww-Perl | 5.31 |
| Gisle Aas | Libwww-Perl | 5.32 |
| Gisle Aas | Libwww-Perl | 5.33 |
| Gisle Aas | Libwww-Perl | 5.34 |
| Gisle Aas | Libwww-Perl | 5.35 |
| Gisle Aas | Libwww-Perl | 5.36 |
| Gisle Aas | Libwww-Perl | 5.41 |
| Gisle Aas | Libwww-Perl | 5.42 |
| Gisle Aas | Libwww-Perl | 5.43 |
| Gisle Aas | Libwww-Perl | 5.44 |
| Gisle Aas | Libwww-Perl | 5.45 |
| Gisle Aas | Libwww-Perl | 5.46 |
| Gisle Aas | Libwww-Perl | 5.47 |
| Gisle Aas | Libwww-Perl | 5.48 |
| Gisle Aas | Libwww-Perl | 5.49 |
| Gisle Aas | Libwww-Perl | 5.50 |
| Gisle Aas | Libwww-Perl | 5.51 |
| Gisle Aas | Libwww-Perl | 5.52 |
| Gisle Aas | Libwww-Perl | 5.53 |
Showing 50 of 124 affected configurations. See NVD for the full list.
References
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2011-0633?
How severe is CVE-2011-0633?
How do I fix CVE-2011-0633?
Are you affected by CVE-2011-0633?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST