{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "CPAN 2.28 allows Signature Verification Bypass."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-01-12T02:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"}, {"tags": ["x_refsource_MISC"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"tags": ["x_refsource_MISC"], "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"}, {"name": "FEDORA-2022-21e8372c42", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"}, {"name": "FEDORA-2022-84fd87f7eb", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-16156", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CPAN 2.28 allows Signature Verification Bypass."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan", "refsource": "MISC", "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"}, {"name": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/", "refsource": "MISC", "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"name": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html", "refsource": "MISC", "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"}, {"name": "FEDORA-2022-21e8372c42", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"}, {"name": "FEDORA-2022-84fd87f7eb", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:37:53.805Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"}, {"name": "FEDORA-2022-21e8372c42", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"}, {"name": "FEDORA-2022-84fd87f7eb", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-16156", "datePublished": "2021-12-13T17:03:00", "dateReserved": "2020-07-30T00:00:00", "dateUpdated": "2024-08-04T13:37:53.805Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:perl:comprehensive_perl_archive_network:2.28:-:*:*:*:perl:*:*", "matchCriteriaId": "410C0D66-B07E-4B1D-A71E-5E5D8C737CC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:perl:comprehensive_perl_archive_network:2.28:trial:*:*:*:perl:*:*", "matchCriteriaId": "20F53CB0-E9E7-41CF-AAF1-58328E5E0A30", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CPAN 2.28 allows Signature Verification Bypass."}, {"lang": "es", "value": "CPAN versi\u00f3n 2.28, permite una Omisi\u00f3n de Verificaci\u00f3n de Firmas"}], "id": "CVE-2020-16156", "lastModified": "2024-11-21T05:06:52.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-12-13T18:15:07.943", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Third Party Advisory"], "url": "https://metacpan.org/pod/distribution/CPAN/scripts/cpan"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8432", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "perl-CPAN-0:2.18-402.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-06-03T00:00:00Z"}], "bugzilla": {"description": "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files", "id": "2035273", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2035273"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-347", "details": ["CPAN 2.28 allows Signature Verification Bypass.", "A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification."], "mitigation": {"lang": "en:us", "value": "This issue can be mitigated by configuring perl-CPAN to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt:\n```\no conf urllist\n```\nEnsure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):\n```\no conf urllist https://www.cpan.org\no conf urllist https://www.cpan.org https://cpan.metacpan.org\n```\nAfter changing configuration, the following command must be used to save the configuration:\n```\no conf commit\n```"}, "name": "CVE-2020-16156", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "perl:5.30/perl-CPAN", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "perl:5.32/perl-CPAN", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "perl", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "perl-CPAN", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-perl530-perl-CPAN", "product_name": "Red Hat Software Collections"}], "public_date": "2021-11-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-16156\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16156\nhttp://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html\nhttps://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/"], "statement": "This vulnerability was rated as MODERATE severity because it allows an attacker to inject malicious packages into the CPAN system by bypassing signature verification, it requires the attacker to control a CPAN mirror and deceive the victim into using it, it poses a risk of installing compromised software.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-347: Improper Verification of Cryptographic Signature vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform uses secure, encrypted HTTPS connections over TLS 1.2, and access to all platform resources is restricted by default. Red Hat enforces strong authentication through hard token-based multi-factor authentication (MFA), combined with least privilege principles to ensure that only authorized users and roles can execute or modify code. Internal and external certificates are established and maintained within a secure environment, and the platform enforces the use of FIPS-validated cryptographic modules across all compute resources. This reduces the risk of improper cryptographic signatures by ensuring that keys used for signature generation and verification are created with approved algorithms, securely managed, and protected against unauthorized access. Additionally, static code analysis and peer code reviews support robust input validation and error handling, reducing the likelihood of missing or improperly implemented signature validation mechanisms.", "threat_severity": "Moderate"}