CVE-2020-16156 : CPAN 2.28 allows Signature Verification Bypass.

Products affected by CVE-2020-16156

Perl » Comprehensive Perl Archive Network » Version: 2.28 For Perl
cpe:2.3:a:perl:comprehensive_perl_archive_network:2.28:-:*:*:*:perl:*:*
Matching versions
Perl » Comprehensive Perl Archive Network » Version: 2.28 Update Trial For Perl
cpe:2.3:a:perl:comprehensive_perl_archive_network:2.28:trial:*:*:*:perl:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 35
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 3 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Assigned by: nvd@nist.gov (Primary)

https://metacpan.org/pod/distribution/CPAN/scripts/cpan

cpan - easily interact with CPAN from the command line - metacpan.org
Product;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SZ32AJIV4RHJMLWLU5QULGKMMIHYOMDC/

[SECURITY] Fedora 35 Update: perl-CPAN-2.29-1.fc35 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SD6RYOJII7HRJ6WVORFNVTYNOFY5JDXN/

[SECURITY] Fedora 34 Update: perl-CPAN-2.29-1.fc34 - package-announce - Fedora Mailing-Lists
Third Party Advisory
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/

Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums – Hackeriet
Exploit;Third Party Advisory

CVEs referencing this url
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html

Addressing CPAN vulnerabilities related to checksums | NeilB [blogs.perl.org]
Exploit;Third Party Advisory