CVE-2020-16156

Note

Fix is in cpanpm 2.29
using only ensured identified https mirrors
could be a solution, as even perl modules
if a trusted server is used its identity
will be verified even in the absense of
perl-module-signature.

Package	Release	Status
perl Launchpad, Ubuntu, Debian	bionic	Released (5.26.1-6ubuntu0.6)
	focal	Released (5.30.0-9ubuntu0.3)
	hirsute	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Released (5.34.0-3ubuntu1.1)
	kinetic	Released (5.34.0-5ubuntu1.1)
	lunar	Released (5.36.0-4ubuntu2)
	trusty	Released (5.18.2-2ubuntu1.7+esm4) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Needed
	xenial	Released (5.22.1-9ubuntu0.9+esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	Patches: upstream: https://github.com/andk/cpanpm/commit/b27c51adf0fda25dee84cb72cb2b1bf7d832148c (2.29) upstream: https://github.com/andk/cpanpm/commit/bcbf6d608e48d25306ecfd273118b4d6ba1c5df6 (2.29) upstream: https://github.com/andk/cpanpm/commit/46fe910becd5746adca92e18660567c9e8d37eb5 (2.29) upstream: https://github.com/andk/cpanpm/commit/7f9e5e8c52f535c1c13e177595a5ef4710c72058 (2.29) upstream: https://github.com/andk/cpanpm/commit/c03257dbebccd4deeff1987d5efd98113643f717 (2.29) upstream: https://github.com/andk/cpanpm/commit/7d4d5e32bcd9b75f7bf70a395938a48ca4a06d25 (2.33-TRIAL) upstream: https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 (2.33-TRIAL)

Parameter	Value
Base score	7.8
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Security

CVE-2020-16156

Notes

Priority

Cvss 3 Severity Score

Status

Severity score breakdown

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Further reading