CVE-2014-3230

Vulnerability

The LWP::Protocol::https module (part of libwww-perl) versions 6.04 through 6.06, when using IO::Socket::SSL as the SSL socket class, mishandles the HTTPS_CA_DIR and HTTPS_CA_FILE environment variables. Instead of only disabling hostname verification (as intended for compatibility with Crypt::SSLeay), the code sets SSL_verify_mode to 0, completely disabling server certificate validation [1][3]. This affects all applications using LWP::UserAgent with HTTPS and these environment variables set.

Exploitation

An attacker with network access (e.g., man-in-the-middle position) can exploit this by intercepting HTTPS connections. No authentication is required; the attacker only needs to set the HTTPS_CA_DIR or HTTPS_CA_FILE environment variable to any value (or the victim's environment already has it set). The victim's application then accepts any SSL certificate presented by the attacker, including self-signed or invalid certificates [3][4].

Impact

Successful exploitation allows the attacker to decrypt, read, and modify HTTPS traffic between the victim and legitimate servers. This leads to disclosure of sensitive data (e.g., credentials, session tokens) and potential injection of malicious content. The attacker gains the ability to impersonate any HTTPS server to the victim, with no certificate validation.

Mitigation

The fix was proposed in pull request #14 [2] and released in LWP::Protocol::https version 6.07 (2014-06-10). Users should upgrade to version 6.07 or later. As a workaround, avoid setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variables when using IO::Socket::SSL, or switch to Crypt::SSLeay as the SSL backend. The vulnerability is not listed in CISA KEV as of 2025.