{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-45321", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-06T13:33:38.493Z", "dateReserved": "2024-08-27T00:00:00", "datePublished": "2024-08-27T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-27T04:10:30.761045"}, "descriptions": [{"lang": "en", "value": "The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html"}, {"url": "https://github.com/miyagawa/cpanminus/issues/611"}, {"url": "https://github.com/miyagawa/cpanminus/pull/674"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-494", "lang": "en", "description": "CWE-494 Download of Code Without Integrity Check"}]}], "affected": [{"vendor": "perl", "product": "cpanminus", "cpes": ["cpe:2.3:a:perl:cpanminus:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7047", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-27T13:12:14.251524Z", "id": "CVE-2024-45321", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-06T13:33:38.493Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-45321", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-27T13:12:14.251524Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:perl:cpanminus:*:*:*:*:*:*:*:*"], "vendor": "perl", "product": "cpanminus", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7047"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494 Download of Code Without Integrity Check"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T13:23:33.278Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html"}, {"url": "https://github.com/miyagawa/cpanminus/issues/611"}, {"url": "https://github.com/miyagawa/cpanminus/pull/674"}], "descriptions": [{"lang": "en", "value": "The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-08-27T04:10:30.761045"}}}, "cveMetadata": {"cveId": "CVE-2024-45321", "state": "PUBLISHED", "dateUpdated": "2024-09-06T13:33:38.493Z", "dateReserved": "2024-08-27T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-08-27T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:app\\:\\:cpanminus_project:app\\:\\:cpanminus:*:*:*:*:*:perl:*:*", "matchCriteriaId": "E7633BA7-2A2E-45A8-9A0F-69E1E35D0D2A", "versionEndIncluding": "1.7047", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers."}, {"lang": "es", "value": "El paquete App::cpanminus hasta 1.7047 para Perl descarga c\u00f3digo a trav\u00e9s de HTTP inseguro, lo que permite la ejecuci\u00f3n de c\u00f3digo para atacantes de red."}], "id": "CVE-2024-45321", "lastModified": "2024-09-06T22:30:19.337", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-08-27T04:15:09.010", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://github.com/miyagawa/cpanminus/issues/611"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/miyagawa/cpanminus/pull/674"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-494"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability", "id": "2308078", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2308078"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.", "A flaw was found in App::cpanminus (cpanm) through version 1.7047. The default configuration downloads Perl modules from CPAN using HTTP, which could allow an attacker to view or modify the content without the knowledge of the user. This issue could allow an attacker to execute malicious code if they have the ability to intercept and modify the content before it reaches to user."], "mitigation": {"lang": "en:us", "value": "A user can force cpanminus to use a HTTPS mirror using the --from command-line argument. This can be configured as a CLI option or as an environment variable. \nAs a command line argument, replacing DISTNAME in the command with the name of the distribution you want to install:\n`$ cpanm --from https://www.cpan.org DISTNAME`\nAs set with the environment variable:\n`$ export PERL_CPANM_OPT=\"--from https://www.cpan.org\"`"}, "name": "CVE-2024-45321", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "perl-App-cpanminus:1.7044/perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "perl-App-cpanminus", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-08-27T04:15:09Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45321\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45321\nhttps://github.com/miyagawa/cpanminus/issues/611\nhttps://github.com/miyagawa/cpanminus/pull/674\nhttps://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html"], "threat_severity": "Moderate"}