Headline
CVE-2023-31485: Add verify_SSL=>1 to HTTP::Tiny to verify https server identity by stigtsp · Pull Request #57 · bluefeet/GitLab-API-v4
GitLab::API::v4 through 0.26 does not verify TLS certificates when connecting to a GitLab server, enabling machine-in-the-middle attacks.
The verify_SSL=>1 flag is missing from HTTP::Tiny in this distribution, and allows a network attacker to MITM connections to the GitLab server. This patch sets verify_SSL to 1 and will make request to GitLab servers without a valid certificate fail.
Problem has been verified using mitmproxy
MITM test with fix
$ PERL5LIB="./lib" script/gitlab-api-v4 projects | wc -c Error GETing https://gitlab.com/api/v4/projects (HTTP 599): Internal Exception SSL connection failed for gitlab.com: SSL connect … at script/gitlab-api-v4 line 115. 0
MITM test without fix
$ PERL5LIB="./lib" script/gitlab-api-v4 projects | wc -c 86599