Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2020-16156

Published: 13 December 2021

CPAN 2.28 allows Signature Verification Bypass.

Notes

AuthorNote
rayveldkamp
Fix is in cpanpm 2.29
leosilva
using only ensured identified https mirrors
could be a solution, as even perl modules
if a trusted server is used its identity
will be verified even in the absense of
perl-module-signature.

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H