CVE-2020-16154: 
Linux Debian vulnerability analysis and mitigation

CVE-2020-16154 affects the App::cpanminus package version 1.7044 for Perl, which was discovered to contain a signature verification bypass vulnerability. The vulnerability was disclosed on December 13, 2021, and impacts the package's ability to properly verify signatures stored in CHECKSUMS files (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue is classified as CWE-347 (Improper Verification of Cryptographic Signature). The vulnerability allows attackers to bypass signature verification by prepending checksums for modified packages to the beginning of CHECKSUMS files, before the cleartext PGP headers (Hackeriet Blog).

A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could exploit this vulnerability to bypass signature verification, potentially leading to the installation of compromised packages. This could result in high impacts on confidentiality, integrity, and availability of the affected systems (Red Hat).

Users should ensure their CPAN client is configured to use trusted TLS (https) protected mirrors as signature verification can be bypassed. The issue can be mitigated by using only official CPAN repositories (https://www.cpan.org/ or https://cpan.metacpan.org/). The cpanm command can be used with --from option to specify the CPAN mirror as in 'cpanm --from https://www.cpan.org' or by setting the environment variable PERLCPANMOPT to '--from https://www.cpan.org' (Ubuntu).

The vulnerability was addressed in version 1.7045-1 of perl-App-cpanminus, which removed the functionality to verify CHECKSUMS signatures. The Perl Security team was notified on July 8, 2020, and the module authors were notified on July 15, 2020, with CVE numbers assigned on July 30, 2020 (Fedora Update).