Signature Verification Bypass in CPAN by CPAN 2.28
CVE-2020-16156

7.8HIGH

Key Information:

Vendor
Perl
Status
Comprehensive Perl Archive Network
Vendor
CVE Published:
13 December 2021

Summary

The vulnerability in CPAN 2.28 allows attackers to bypass signature verification, potentially leading to the installation of malicious packages. This flaw compromises the integrity of package management by allowing unverified changes to be accepted, thereby exposing systems to security risks. Users are encouraged to apply available updates and security patches to mitigate the risks associated with this vulnerability.

References

https://metacpan.org/pod/distribution/CPAN/scripts/cpan
x_refsource_MISC
https://blog.hackeriet.no/cpan-signature-verification-vul...
x_refsource_MISC
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.