CVE-2023-31485: 
Linux Debian vulnerability analysis and mitigation

GitLab::API::v4 through version 0.26 contains a security vulnerability where TLS certificates are not verified when connecting to a GitLab server. This vulnerability was discovered in April 2023 and assigned CVE-2023-31485. The issue affects all versions up to and including 0.26 of the GitLab::API::v4 Perl module (NVD, Debian Tracker).

The vulnerability stems from the module's use of HTTP::Tiny without enabling certificate verification, which by default does not verify TLS certificates. This configuration violates RFC 2818 requirements for certificate validation and enables machine-in-the-middle (MITM) attacks. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with high attack complexity and potential for high confidentiality impact (NVD).

The vulnerability exposes API secrets to potential network attackers through man-in-the-middle attacks. When exploited, an attacker could intercept and view sensitive communications between the client and GitLab server, potentially exposing access tokens and any data stored in GitLab (Hackeriet Blog).

The vulnerability has been fixed in version 0.27 of GitLab::API::v4. Users should upgrade to this version or later to receive the security fix. The fix implements proper TLS certificate verification by setting verify_SSL=>1 in the HTTP::Tiny configuration (GitHub PR).

The vulnerability was initially identified as part of a broader investigation into HTTP::Tiny's insecure defaults, which affected numerous CPAN modules. The discovery led to discussions in the Perl community about secure defaults and proper SSL/TLS verification practices (OSS Security).