jwoytek-cisa
commented
2 months ago @stigtsp Our analysts reviewed this and fixed the upstream data, which should be pushed out to all channels now. Thanks for the report!
Closed stigtsp closed 2 months ago
jwoytek-cisa
commented
2 months ago @stigtsp Our analysts reviewed this and fixed the upstream data, which should be pushed out to all channels now. Thanks for the report!
Hi!
CVE-2024-45321 added by eb3f1ca3ed55883b54b6c8cdfe0ceeef25fbeaf7 is listed with
CWE-94 Improper Control of Generation of Code ('Code Injection')Since the vulnerability is "cpanminus uses insecure HTTP to download and install code from CPAN", wouldn't CWE-494: Download of Code Without Integrity Check be more appropriate?
https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html
If this is changed to CWE-494 then the CVSS scores should also likely be updated.
Cc: @timlegge