{
  "threat_severity" : "Moderate",
  "public_date" : "2021-11-23T00:00:00Z",
  "bugzilla" : {
    "description" : "perl-CPAN: Bypass of verification of signatures in CHECKSUMS files",
    "id" : "2035273",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2035273"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-347",
  "details" : [ "CPAN 2.28 allows Signature Verification Bypass.", "A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification." ],
  "statement" : "This vulnerability is assigned a Moderate Severity rating primarily because of the multistep nature of the attack and the efficacy of environmental security controls. The underlying issue is a serious software flaw, designated as CWE 347: Improper Verification of Cryptographic Signature, which means the system fails to correctly verify the digital authenticity of installation packages, potentially allowing an attacker to insert malicious software into the $\\text{CPAN}$ repository. However, successfully exploiting this flaw requires a complex attack chain: the adversary must first gain control of a legitimate $\\text{CPAN}$ distribution mirror and then actively deceive a targeted user into initiating an install from that compromised source, which necessitates User Interaction. Although the potential impact of a successful attack is high (leading to a complete compromise of the victim's data and system integrity), the severity is downgraded to Moderate in secure, regulated environments. This is because mandatory defenses  such as enforcing secure $\\text{HTTPS/TLS}$ connections, implementing Multi Factor Authentication ($\\text{MFA}$), adhering to $\\text{least privilege}$ access principles, and mandating the use of $\\text{FIPS}$ validated cryptographic modules create robust, layered barriers that significantly increase the difficulty of both the required initial compromise and the necessary social engineering of a protected user, thus lowering the overall practical risk.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-06-03T00:00:00Z",
    "advisory" : "RHSA-2025:8432",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "perl-CPAN-0:2.18-402.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "perl:5.30/perl-CPAN",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "perl:5.32/perl-CPAN",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "perl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "perl-CPAN",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Will not fix",
    "package_name" : "rh-perl530-perl-CPAN",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-16156\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-16156\nhttp://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html\nhttps://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/" ],
  "name" : "CVE-2020-16156",
  "mitigation" : {
    "value" : "This issue can be mitigated by configuring perl-CPAN to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers.  If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt:\n```\no conf urllist\n```\nEnsure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs.  A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):\n```\no conf urllist https://www.cpan.org\no conf urllist https://www.cpan.org https://cpan.metacpan.org\n```\nAfter changing configuration, the following command must be used to save the configuration:\n```\no conf commit\n```",
    "lang" : "en:us"
  },
  "csaw" : false
}