CVE-2013-2145 — Improper Input Validation in Libmodule-signature-perl

CWE-20 — Improper Input Validation8 documents6 sources

Severity

4.4MEDIUMNVD

EPSS

0.2%

top 58.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libmodule-signature-perl Perlmonks Module Canonical Ubuntu Linux +1 more

Timeline

PublishedAug 19

Latest updateMay 14

Description

The cpansign verify functionality in the Module::Signature module before 0.72 for Perl allows attackers to bypass the signature check and execute arbitrary code via a SIGNATURE file with a "special unknown cipher" that references an untrusted module in Digest/.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages3 packages

▶debiandebian/libmodule-signature-perl< libmodule-signature-perl 0.73-1 (bookworm)

▶NVDperlmonks/module0.72+1

▶NVDopensuse/opensuse11.4, 12.2, 12.3+2

Also affects: Ubuntu Linux 12.04, 12.10, 13.04

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-99g4-3v63-xpqx: The cpansign verify functionality in the Module::Signature module before 0↗2022-05-14

▶

OSV

CVE-2013-2145: The cpansign verify functionality in the Module::Signature module before 0↗2013-08-19

▶

📋Vendor Advisories

Ubuntu

Module::Signature perl module vulnerability↗2013-07-03

▶

Debian

CVE-2013-2145: libmodule-signature-perl - The cpansign verify functionality in the Module::Signature module before 0.72 fo...↗2013

▶

💬Community

Bugzilla

CVE-2013-2145 perl-Module-Signature: arbitrary code execution when verifying SIGNATURE [epel-all]↗2013-06-05

▶

Bugzilla

CVE-2013-2145 perl-Module-Signature: arbitrary code execution when verifying SIGNATURE↗2013-06-05

▶

Bugzilla

CVE-2013-2145 perl-Module-Signature: arbitrary code execution when verifying SIGNATURE [fedora-all]↗2013-06-05

▶