Published: 13 December 2021
CPAN 2.28 allows Signature Verification Bypass.
Fix is in cpanpm 2.29
using only ensured identified https mirrors could be a solution, as even perl modules if a trusted server is used its identity will be verified even in the absense of perl-module-signature.
CVSS 3 base score: 7.8