The App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| App::cpanminus | App::cpanminus_project | 1.7044 (including) | 1.7044 (including) |
| Cpanminus | Ubuntu | bionic | * |
| Cpanminus | Ubuntu | esm-apps/bionic | * |
| Cpanminus | Ubuntu | esm-apps/focal | * |
| Cpanminus | Ubuntu | esm-apps/jammy | * |
| Cpanminus | Ubuntu | esm-apps/xenial | * |
| Cpanminus | Ubuntu | focal | * |
| Cpanminus | Ubuntu | hirsute | * |
| Cpanminus | Ubuntu | impish | * |
| Cpanminus | Ubuntu | jammy | * |
| Cpanminus | Ubuntu | trusty | * |
| Cpanminus | Ubuntu | upstream | * |
| Cpanminus | Ubuntu | xenial | * |
Related Attack Patterns
References
- https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/
- https://metacpan.org/pod/App::cpanminus
- https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DENFY4CRTIZL5WYYUYUM4VKCJNXO4QIW/
- https://metacpan.org/pod/App::cpanminus