Vulnerability Description
The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote attackers to bypass intended certificate restrictions.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Io-Socket-Ssl | Io-Socket-Ssl | 1.35 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058Patch
- http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.h
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.h
- http://osvdb.org/69626
- http://secunia.com/advisories/42508Vendor Advisory
- http://secunia.com/advisories/42757
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:092
- http://www.openwall.com/lists/oss-security/2010/12/09/8
- http://www.openwall.com/lists/oss-security/2010/12/24/1
- http://www.securityfocus.com/bid/45189
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058Patch
- http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.35/Changes
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052594.h
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052601.h
FAQ
What is CVE-2010-4334?
CVE-2010-4334 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The IO::Socket::SSL module 1.35 for Perl, when verify_mode is not VERIFY_NONE, fails open to VERIFY_NONE instead of throwing an error when a ca_file/ca_path cannot be verified, which allows remote att...
How severe is CVE-2010-4334?
CVE-2010-4334 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2010-4334?
Check the references section above for vendor advisories and patch information. Affected products include: Io-Socket-Ssl Io-Socket-Ssl.