Improper Verification of Cryptographic Signature Affecting perl package, versions *
Threat Intelligence
EPSS
0.16% (54th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-PERL-1925976
- published 24 Nov 2021
- disclosed 13 Dec 2021
Introduced: 24 Nov 2021
CVE-2020-16156 Open this link in a new tabHow to fix?
There is no fixed version for Debian:11 perl.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
CPAN 2.28 allows Signature Verification Bypass.
References
- https://security-tracker.debian.org/tracker/CVE-2020-16156
- https://metacpan.org/pod/distribution/CPAN/scripts/cpan
- https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
- http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/
CVSS Scores
version 3.1