CVE-2010-4334

The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote attackers to bypass intended certificate restrictions.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:N

Exploitability : 4.9 / Impact : 4.9

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058	Patch
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html
http://osvdb.org/69626
http://secunia.com/advisories/42508	Vendor Advisory
http://secunia.com/advisories/42757
http://www.mandriva.com/security/advisories?name=MDVSA-2011:092
http://www.openwall.com/lists/oss-security/2010/12/09/8
http://www.openwall.com/lists/oss-security/2010/12/24/1
http://www.securityfocus.com/bid/45189
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058	Patch
http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html
http://osvdb.org/69626
http://secunia.com/advisories/42508	Vendor Advisory
http://secunia.com/advisories/42757
http://www.mandriva.com/security/advisories?name=MDVSA-2011:092
http://www.openwall.com/lists/oss-security/2010/12/09/8
http://www.openwall.com/lists/oss-security/2010/12/24/1
http://www.securityfocus.com/bid/45189

Configurations

Configuration 1 (hide)

cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.35:*:*:*:*:*:*:*

History

21 Nov 2024, 01:20

Type	Values Removed	Values Added
References	~~() http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 - Patch~~	() http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058 - Patch
References	~~() http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes -~~	() http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes -
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html -~~	() http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html -
References	~~() http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html -~~	() http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html -
References	~~() http://osvdb.org/69626 -~~	() http://osvdb.org/69626 -
References	~~() http://secunia.com/advisories/42508 - Vendor Advisory~~	() http://secunia.com/advisories/42508 - Vendor Advisory
References	~~() http://secunia.com/advisories/42757 -~~	() http://secunia.com/advisories/42757 -
References	~~() http://www.mandriva.com/security/advisories?name=MDVSA-2011:092 -~~	() http://www.mandriva.com/security/advisories?name=MDVSA-2011:092 -
References	~~() http://www.openwall.com/lists/oss-security/2010/12/09/8 -~~	() http://www.openwall.com/lists/oss-security/2010/12/09/8 -
References	~~() http://www.openwall.com/lists/oss-security/2010/12/24/1 -~~	() http://www.openwall.com/lists/oss-security/2010/12/24/1 -
References	~~() http://www.securityfocus.com/bid/45189 -~~	() http://www.securityfocus.com/bid/45189 -

Information

Published : 2011-01-14 01:00

Updated : 2025-04-11 00:51

NVD link : CVE-2010-4334

Mitre link : CVE-2010-4334

CVE.ORG link : CVE-2010-4334

JSON object : View

Products Affected

io-socket-ssl

io-socket-ssl

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2010-4334", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2011-01-14T01:00:03.307", "references": [{"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058", "tags": ["Patch"], "source": "secalert@redhat.com"}, {"url": "http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes", "source": "secalert@redhat.com"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html", "source": "secalert@redhat.com"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html", "source": "secalert@redhat.com"}, {"url": "http://osvdb.org/69626", "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/42508", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/42757", "source": "secalert@redhat.com"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:092", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2010/12/09/8", "source": "secalert@redhat.com"}, {"url": "http://www.openwall.com/lists/oss-security/2010/12/24/1", "source": "secalert@redhat.com"}, {"url": "http://www.securityfocus.com/bid/45189", "source": "secalert@redhat.com"}, {"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://osvdb.org/69626", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/42508", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://secunia.com/advisories/42757", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:092", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2010/12/09/8", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.openwall.com/lists/oss-security/2010/12/24/1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/45189", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote attackers to bypass intended certificate restrictions."}, {"lang": "es", "value": "El m\u00f3dulo en Perl IO::Socket::SSL v1.35,cuando verify_mode no es VERIFY_NONE, falla al abrir el VERIFY_NONE en lugar de lanzar un error cuando un ca_file/ca_path no puede ser verificado, el cual permite que atacantes remotos eludan las restricciones de certificado."}], "lastModified": "2025-04-11T00:51:21.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:io-socket-ssl:io-socket-ssl:1.35:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C1856D88-2510-4D9A-B288-A08EC3390EFA"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}

4.0 /10