Bug 2308078 (CVE-2024-45321)

Summary: CVE-2024-45321 perl-App-cpanminus: Insecure HTTP in App::cpanminus Allows Code Execution Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahanwate, ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in App::cpanminus (cpanm) through version 1.7047. The default configuration downloads Perl modules from CPAN using HTTP, which could allow an attacker to view or modify the content without the knowledge of the user. This issue could allow an attacker to execute malicious code if they have the ability to intercept and modify the content before it reaches to user.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2308438, 2308439    
Bug Blocks:    

Description OSIDB Bzimport 2024-08-27 04:20:30 UTC 
The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.
Comment 1 Petr Pisar 2024-08-29 12:28:50 UTC 
Indeed App-cpanminus-1.7047 uses HTTP. Relevant upstream bug reports:

https://github.com/miyagawa/cpanminus/issues/603
https://github.com/miyagawa/cpanminus/issues/611

Relevant upstream pull requests:

https://github.com/miyagawa/cpanminus/pull/674
https://github.com/miyagawa/cpanminus/pull/678
Comment 2 errata-xmlrpc 2024-11-25 09:36:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10218 https://access.redhat.com/errata/RHSA-2024:10218
Comment 3 errata-xmlrpc 2024-11-25 09:45:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10219 https://access.redhat.com/errata/RHSA-2024:10219