DEBIAN-CVE-2011-0633
- Source
- https://security-tracker.debian.org/tracker/CVE-2011-0633
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2011-0633.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2011-0633
- Upstream
- Published
- 2011-05-13T22:55:01.610Z
- Modified
- 2026-04-28T20:06:23.371107Z
- Summary
- [none]
- Details
-
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof servers via man-in-the-middle (MITM) attacks involving hostnames that are not properly validated. NOTE: it could be argued that this is a design limitation of the Net::HTTPS API, and separate implementations should be independently assigned CVE identifiers for not working around this limitation. However, because this API was modified within LWP, a single CVE identifier has been assigned.
- References
Affected packages
Debian:11 / libwww-perl
Package
- Name
- libwww-perl
- Purl
- pkg:deb/debian/libwww-perl?arch=source
Debian:12 / libwww-perl
Package
- Name
- libwww-perl
- Purl
- pkg:deb/debian/libwww-perl?arch=source
Debian:13 / libwww-perl
Package
- Name
- libwww-perl
- Purl
- pkg:deb/debian/libwww-perl?arch=source
Debian:14 / libwww-perl
Package
- Name
- libwww-perl
- Purl
- pkg:deb/debian/libwww-perl?arch=source