CVE-2020-16154 - Vulnerability Details - OpenCVE

The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

Vendors	Products
App\	\
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:app\:\:cpanminus_project:app\:\:cpanminus:1.7044:*:*:*:*:perl:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2020-8120	The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
Ubuntu USN	USN-5230-1	App::cpanminus vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/
https://metacpan.org/pod/App::cpanminus
https://nvd.nist.gov/vuln/detail/CVE-2020-16154
https://www.cve.org/CVERecord?id=CVE-2020-16154

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-12-13T17:00:32

Updated: 2024-08-04T13:37:53.768Z

Reserved: 2020-07-30T00:00:00

Link: CVE-2020-16154

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-12-13T17:15:08.103

Modified: 2024-11-21T05:06:51.807

Link: CVE-2020-16154

Redhat

Severity : Moderate

Publid Date: 2021-11-23T00:00:00Z

Links: CVE-2020-16154 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-09T03:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://metacpan.org/pod/App::cpanminus"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"name": "FEDORA-2022-f4b7f896e3", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16154", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://metacpan.org/pod/App::cpanminus", "refsource": "MISC", "url": "https://metacpan.org/pod/App::cpanminus"}, {"name": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "refsource": "MISC", "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"name": "FEDORA-2022-f4b7f896e3", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:53.768Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://metacpan.org/pod/App::cpanminus"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"name": "FEDORA-2022-f4b7f896e3", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16154", "datePublished": "2021-12-13T17:00:32", "dateReserved": "2020-07-30T00:00:00", "dateUpdated": "2024-08-04T13:37:53.768Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:app\\:\\:cpanminus_project:app\\:\\:cpanminus:1.7044:*:*:*:*:perl:*:*", "matchCriteriaId": "33502921-1F78-4EBD-9642-6C8F0C2D8E64", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass."}, {"lang": "es", "value": "El paquete App::cpanminus versi\u00f3n 1.7044 para Perl, permite una Omisi\u00f3n de Verificaci\u00f3n de Firmas"}], "id": "CVE-2020-16154", "lastModified": "2024-11-21T05:06:51.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T17:15:08.103", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://metacpan.org/pod/App::cpanminus"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://metacpan.org/pod/App::cpanminus"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "perl-App-cpanminus: Bypass of verification of signatures in CHECKSUMS files", "id": "2035341", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035341"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-347", "details": ["The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.", "A flaw was found in the way the perl-App-cpanminus performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification."], "mitigation": {"lang": "en:us", "value": "This issue can be mitigated by instructing perl-App-cpanminus to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. The `cpanm` command can be configured to use the specific CPAN mirror using the --from command line option by running it as:\n```\ncpanm --from https://www.cpan.org ...\n```\nYou can also set environment variable PERL_CPANM_OPT to include this command line option to avoid having to specify the URL for every cpanm invocation:\n```\nexport PERL_CPANM_OPT=\"--from https://www.cpan.org\"\n```"}, "name": "CVE-2020-16154", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "perl-App-cpanminus:1.7044/perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-perl530-perl-App-cpanminus", "product_name": "Red Hat Software Collections"}], "public_date": "2021-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-16154\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16154\nhttp://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html\nhttps://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"], "threat_severity": "Moderate"}