Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-45321

Опубликовано: 27 авг. 2024
Источник: redhat
CVSS3: 8.1
EPSS Низкий

Описание

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

A flaw was found in App::cpanminus (cpanm) through version 1.7047. The default configuration downloads Perl modules from CPAN using HTTP, which could allow an attacker to view or modify the content without the knowledge of the user. This issue could allow an attacker to execute malicious code if they have the ability to intercept and modify the content before it reaches to user.

Меры по смягчению последствий

A user can force cpanminus to use a HTTPS mirror using the --from command-line argument. This can be configured as a CLI option or as an environment variable. As a command line argument, replacing DISTNAME in the command with the name of the distribution you want to install: $ cpanm --from https://www.cpan.org DISTNAME As set with the environment variable: $ export PERL_CPANM_OPT="--from https://www.cpan.org"

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10perl-App-cpanminusNot affected
Red Hat Enterprise Linux 7perl-App-cpanminusAffected
Red Hat Enterprise Linux 8perl-App-cpanminusWill not fix
Red Hat Enterprise Linux 8perl-App-cpanminusFixedRHSA-2024:1021925.11.2024
Red Hat Enterprise Linux 9perl-App-cpanminusFixedRHSA-2024:1021825.11.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
https://bugzilla.redhat.com/show_bug.cgi?id=2308078perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability

EPSS

Процентиль: 28%
0.00099
Низкий

8.1 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-45321

CVSS3: 8.1
ubuntu
12 месяцев назад

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

nvd логотип

CVE-2024-45321

CVSS3: 8.1
nvd
12 месяцев назад

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

debian логотип

CVE-2024-45321

CVSS3: 8.1
debian
12 месяцев назад

The App::cpanminus package through 1.7047 for Perl downloads code via ...

github логотип

GHSA-9mmm-86g7-vp9g

CVSS3: 9.8
github
12 месяцев назад

The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

oracle-oval логотип

ELSA-2024-10219

oracle-oval
9 месяцев назад

ELSA-2024-10219: perl-App-cpanminus:1.7044 security update (MODERATE)

EPSS

Процентиль: 28%
0.00099
Низкий

8.1 High

CVSS3