CVE-2013-2145 - Vulnerability Details - OpenCVE

The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special unknown cipher" that references an untrusted module in Digest/.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Opensuse	Opensuse
Perlmonks	Module\

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:opensuse:opensuse:11.4:::::::*
	cpe:2.3:o:opensuse:opensuse:12.2:::::::*
	cpe:2.3:o:opensuse:opensuse:12.3:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:perlmonks:module\:\:signature::::::perl::*
	cpe:2.3:a:perlmonks:module\:\:signature:0.70:::::perl::
	cpe:2.3:a:perlmonks:module\:\:signature:0.71:::::perl::

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html
http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html
http://www.openwall.com/lists/oss-security/2013/06/05/16
http://www.securityfocus.com/bid/60352
http://www.ubuntu.com/usn/USN-1896-1
https://bugzilla.redhat.com/show_bug.cgi?id=971096
https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2
https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-08-19T23:00:00Z

Updated: 2024-09-16T20:13:25.066Z

Reserved: 2013-02-19T00:00:00Z

Link: CVE-2013-2145

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-08-19T23:55:08.397

Modified: 2024-11-21T01:51:07.877

Link: CVE-2013-2145

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a \"special unknown cipher\" that references an untrusted module in Digest/."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-08-19T23:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2013:1185", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html"}, {"name": "60352", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/60352"}, {"name": "openSUSE-SU-2013:1178", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html"}, {"name": "[oss-security] 20130605 CVE-2013-2145: perl Module::Signature code execution vulnerability", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2013/06/05/16"}, {"name": "USN-1896-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-1896-1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=971096"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-2145", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a \"special unknown cipher\" that references an untrusted module in Digest/."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2013:1185", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html"}, {"name": "60352", "refsource": "BID", "url": "http://www.securityfocus.com/bid/60352"}, {"name": "openSUSE-SU-2013:1178", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html"}, {"name": "[oss-security] 20130605 CVE-2013-2145: perl Module::Signature code execution vulnerability", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2013/06/05/16"}, {"name": "USN-1896-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-1896-1"}, {"name": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896", "refsource": "CONFIRM", "url": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=971096", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=971096"}, {"name": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2", "refsource": "CONFIRM", "url": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:27:41.038Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2013:1185", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html"}, {"name": "60352", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/60352"}, {"name": "openSUSE-SU-2013:1178", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html"}, {"name": "[oss-security] 20130605 CVE-2013-2145: perl Module::Signature code execution vulnerability", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2013/06/05/16"}, {"name": "USN-1896-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-1896-1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=971096"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-2145", "datePublished": "2013-08-19T23:00:00Z", "dateReserved": "2013-02-19T00:00:00Z", "dateUpdated": "2024-09-16T20:13:25.066Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*", "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*", "matchCriteriaId": "EFAA48D9-BEB4-4E49-AD50-325C262D46D9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*", "matchCriteriaId": "DE554781-1EB9-446E-911F-6C11970C47F4", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perlmonks:module\\:\\:signature:*:*:*:*:*:perl:*:*", "matchCriteriaId": "2E6F9A20-E1C8-44DA-93DA-159F0CF69AD8", "versionEndIncluding": "0.72", "vulnerable": true}, {"criteria": "cpe:2.3:a:perlmonks:module\\:\\:signature:0.70:*:*:*:*:perl:*:*", "matchCriteriaId": "A0220732-83D9-438E-A6A8-997E11187221", "vulnerable": true}, {"criteria": "cpe:2.3:a:perlmonks:module\\:\\:signature:0.71:*:*:*:*:perl:*:*", "matchCriteriaId": "F3716378-31D1-4E92-B3D3-3529750C76DB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a \"special unknown cipher\" that references an untrusted module in Digest/."}, {"lang": "es", "value": "La funcionalidad de verificaci\u00f3n cpansign en el m\u00f3dulo Module::Signature anterior a 0.72 para Perl, permite a atacantes evitar la comprobaci\u00f3n de firma y ejecutar c\u00f3digo arbitrarioa trav\u00e9s de un archivo SIGNATURE con \"un cifrado desconocido especial\" que referencia a un m\u00f3dulo no confiable en Digest/."}], "id": "CVE-2013-2145", "lastModified": "2024-11-21T01:51:07.877", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-08-19T23:55:08.397", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2013/06/05/16"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/60352"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-1896-1"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=971096"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00039.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2013-07/msg00043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2013/06/05/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/60352"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-1896-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=971096"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/audreyt/module-signature/commit/575f7bd6ba4cc7c92f841e8758f88a131674ebf2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/audreyt/module-signature/commit/cbd06b392a73c63159dc5c20ff5b3c8fc88c4896"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}