<p>Upgrade <code>Amazon-Linux:2</code> <code>perl-App-cpanminus</code> to version 0:1.6922-2.amzn2.0.1 or higher.<br>This issue was patched in <code>ALAS2-2024-2697</code>.</p>

Download of Code Without Integrity Check Affecting perl-App-cpanminus package, versions <0:1.6922-2.amzn2.0.1

Threat Intelligence

0.06% (29^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-AMZN2-PERLAPPCPANMINUS-8383020
published 16 Nov 2024
disclosed 27 Aug 2024

Report a new vulnerability Found a mistake?

Introduced: 27 Aug 2024

CVE-2024-45321 Open this link in a new tab CWE-494 Open this link in a new tab

How to fix?

Upgrade Amazon-Linux:2 perl-App-cpanminus to version 0:1.6922-2.amzn2.0.1 or higher.
This issue was patched in ALAS2-2024-2697.

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl-App-cpanminus package and not the perl-App-cpanminus package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2 relevant fixed versions and status.

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High