CVE-2023-31485

NameCVE-2023-31485
DescriptionGitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs954051

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgitlab-api-v4-perl (PTS)buster0.16-1vulnerable
bullseye0.26-1vulnerable
bookworm0.26-3vulnerable
sid, trixie0.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgitlab-api-v4-perlsource(unstable)0.27-1954051

Notes

[bookworm] - libgitlab-api-v4-perl <no-dsa> (Minor issue)
[bullseye] - libgitlab-api-v4-perl <no-dsa> (Minor issue)
[buster] - libgitlab-api-v4-perl <no-dsa> (Minor issue)
https://github.com/bluefeet/GitLab-API-v4/pull/57
https://github.com/bluefeet/GitLab-API-v4/commit/02a2862cba323fe37e10afba8183d14847866fd2 (0.27)
Search for package or bug name: Reporting problems