Search criteria
63 vulnerabilities found for advanced_package_tool by debian
FKIE_CVE-2020-27350
Vulnerability from fkie_nvd - Published: 2020-12-10 04:15 - Updated: 2024-11-21 05:21
Severity ?
5.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
5.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
5.7 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
Summary
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 16.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 18.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 20.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 20.10 | |
| debian | advanced_package_tool | * | |
| debian | debian_linux | 10.0 | |
| netapp | solidfire_baseboard_management_controller_firmware | - | |
| netapp | solidfire_baseboard_management_controller | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "839A276F-A612-435F-8B32-9CD0881A703F",
"versionEndExcluding": "1.2.32ubuntu0.2",
"versionStartIncluding": "1.2.32ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32808FF1-724F-42B2-8720-F03F2DCB87E8",
"versionEndExcluding": "1.6.12ubuntu0.2",
"versionStartIncluding": "1.6.12ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "84E29564-98E9-4F1E-B86C-7F835BDF47CF",
"versionEndExcluding": "2.0.2ubuntu0.2",
"versionStartIncluding": "2.0.2ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "423237C5-087E-4E29-8B3B-D7121302E698",
"versionEndExcluding": "2.1.10ubuntu0.2",
"versionStartIncluding": "2.1.10ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*",
"matchCriteriaId": "338B3AAC-C147-4A31-95E7-6E8A6FB4B3FC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91DB2AC6-4123-412A-BBCB-C8545A292E30",
"versionEndExcluding": "1.8.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FB9B8171-F6CA-427D-81E0-6536D3BBFA8D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:solidfire_baseboard_management_controller:-:*:*:*:*:*:*:*",
"matchCriteriaId": "090AA6F4-4404-4E26-82AB-C3A22636F276",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;"
},
{
"lang": "es",
"value": "APT tuvo varios desbordamientos y subdesbordamientos de enteros al analizar paquetes .deb, tambi\u00e9n se conocen como GHSL-2020-168 GHSL-2020-169, en los archivos apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc.\u0026#xa0;Este problema afecta: apt versiones 1.2.32ubuntu0 anteriores a 1.2.32ubuntu0.2; versiones 1.6.12ubuntu0 anteriores a 1.6.12ubuntu0.2; versiones 2.0.2ubuntu0 anteriores a 2.0.2ubuntu0.2; versiones 2.1.10ubuntu0 anteriores a 2.1.10ubuntu0.1;"
}
],
"id": "CVE-2020-27350",
"lastModified": "2024-11-21T05:21:02.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 3.7,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.5,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-10T04:15:11.423",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Broken Link"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-27351
Vulnerability from fkie_nvd - Published: 2020-12-10 04:15 - Updated: 2024-11-21 05:21
Severity ?
2.0 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
2.8 (Low) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Summary
Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 16.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 18.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 20.04 | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 20.10 | |
| debian | advanced_package_tool | * | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F1CD972-BF6E-437D-BD7A-9C6E1649E05E",
"versionEndExcluding": "1.1.0\\~beta1ubuntu0.16.04.10",
"versionStartIncluding": "1.1.0\\~beta1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "46110C63-28BC-4CAC-9D26-D5CEE0042A54",
"versionEndExcluding": "1.6.5ubuntu0.4",
"versionStartIncluding": "1.6.5ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0EE283A5-3974-4B01-9BAC-940B32714D9F",
"versionEndExcluding": "2.0.0ubuntu0.20.04.2",
"versionStartIncluding": "2.0.0ubuntu0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "496C03D7-3211-47CE-996F-AE031900B54C",
"versionEndExcluding": "2.1.30ubuntu1.1",
"versionStartIncluding": "2.1.3ubuntu1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*",
"matchCriteriaId": "338B3AAC-C147-4A31-95E7-6E8A6FB4B3FC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9A03A663-BC84-47BE-90DA-09753C3F44FE",
"versionEndExcluding": "1.8.4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"
},
{
"lang": "es",
"value": "Se encontraron varios filtrados de memoria y descriptores de archivos en los archivos python/arfile.cc, python/tag.cc, python/tarfile.cc, tambi\u00e9n se conoce como GHSL-2020-170.\u0026#xa0;Este problema afecta a: python-apt versiones 1.1.0~beta1 anteriores a 1.1.0~beta1ubuntu0.16.04.10; versiones 1.6.5ubuntu0 anteriores a 1.6.5ubuntu0.4; versiones 2.0.0ubuntu0 anteriores a 2.0.0ubuntu0.20.04.2; versiones 2.1.3ubuntu1 anteriores a 2.1.3ubuntu1.1;"
}
],
"id": "CVE-2020-27351",
"lastModified": "2024-11-21T05:21:03.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 1.4,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2.8,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-10T04:15:11.547",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Broken Link"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"source": "security@ubuntu.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-772"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-772"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2011-3374
Vulnerability from fkie_nvd - Published: 2019-11-26 00:15 - Updated: 2024-11-21 01:30
Severity ?
Summary
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| debian | debian_linux | 10.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0DCF96F5-95F7-4E18-994D-98D3CD0F7E6E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack."
},
{
"lang": "es",
"value": "Se encontr\u00f3 que apt-key en apt, todas las versiones, no comprueban correctamente las claves gpg con el llavero maestro, lo que conlleva a un potencial ataque de tipo man-in-the-middle."
}
],
"id": "CVE-2011-3374",
"lastModified": "2024-11-21T01:30:22.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T00:15:11.030",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mailing List",
"Third Party Advisory"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-3462
Vulnerability from fkie_nvd - Published: 2019-01-28 21:29 - Updated: 2024-11-21 04:42
Severity ?
Summary
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| debian | advanced_package_tool | * | |
| canonical | ubuntu_linux | 12.04 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 18.04 | |
| canonical | ubuntu_linux | 18.10 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| netapp | active_iq | - | |
| netapp | element_software | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D2FC6D4-6A3E-448B-84F7-027BDAC1FEAF",
"versionEndExcluding": "1.2.30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80E371D4-8F2B-41C2-A7CE-E5F93C72B8D6",
"versionEndIncluding": "1.4.8",
"versionStartIncluding": "1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*",
"matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EF29713A-2852-4E3D-9666-4001C7E8B667",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*",
"matchCriteriaId": "85DF4B3F-4BBC-42B7-B729-096934523D63",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine."
},
{
"lang": "es",
"value": "El saneamiento incorrecto de un campo de redirecci\u00f3n 302 en el m\u00e9todo HTTP \"transport\" en apt, en versiones 1.4.8 y anteriores, puede conducir a la inyecci\u00f3n de contenido por parte de un atacante MITM, lo que puede conducir a la ejecuci\u00f3n remota de c\u00f3digo en el equipo objetivo."
}
],
"id": "CVE-2019-3462",
"lastModified": "2024-11-21T04:42:05.670",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-28T21:29:00.300",
"references": [
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"source": "security@debian.org",
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
},
{
"source": "security@debian.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"source": "security@debian.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2018-0501
Vulnerability from fkie_nvd - Published: 2018-08-21 00:29 - Updated: 2024-11-21 03:38
Severity ?
Summary
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
References
| URL | Tags | ||
|---|---|---|---|
| security@debian.org | https://mirror.fail | Third Party Advisory, URL Repurposed | |
| security@debian.org | https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec | Patch, Third Party Advisory | |
| security@debian.org | https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47 | Patch, Third Party Advisory | |
| security@debian.org | https://usn.ubuntu.com/3746-1/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mirror.fail | Third Party Advisory, URL Repurposed | |
| af854a3a-2127-422b-91ae-364da2661108 | https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/3746-1/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | ubuntu_linux | 18.04 | |
| debian | advanced_package_tool | * | |
| debian | advanced_package_tool | 1.7.0 | |
| debian | advanced_package_tool | 1.7.0 | |
| debian | advanced_package_tool | 1.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6A029D3-078F-44FF-A4EC-1DA371F72655",
"versionEndExcluding": "1.6.4",
"versionStartIncluding": "1.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.7.0:alpha:*:*:*:*:*:*",
"matchCriteriaId": "2C2085D0-86E5-4A74-9195-A04D406BC441",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.7.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "1BA098B2-CF1F-4951-8093-1FB0CA6825E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.7.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "E518DCA9-523F-4096-9F79-A313A6E46ADD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail."
},
{
"lang": "es",
"value": "La implementaci\u00f3n del m\u00e9todo mirror:// en Advanced Package Tool (APT) en versiones 1.6.x anteriores a la 1.6.4 y 1.7.x anteriores a la 1.7.0~alpha3 maneja de manera incorrecta la verificaci\u00f3n de firmas gpg para el archivo InRelease de un clon fallback, tambi\u00e9n conocido como mirrorfail."
}
],
"id": "CVE-2018-0501",
"lastModified": "2024-11-21T03:38:21.917",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-21T00:29:00.227",
"references": [
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory",
"URL Repurposed"
],
"url": "https://mirror.fail"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"URL Repurposed"
],
"url": "https://mirror.fail"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/3746-1/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-1252
Vulnerability from fkie_nvd - Published: 2017-12-05 16:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| debian | debian_linux | 8.0 | |
| canonical | ubuntu_linux | 14.04 | |
| canonical | ubuntu_linux | 16.04 | |
| canonical | ubuntu_linux | 16.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8ACF9D91-F607-4A94-936D-F840D44486FC",
"versionEndExcluding": "1.0.9.8.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1AFB20FA-CB00-4729-AB3A-816454C6D096",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures."
},
{
"lang": "es",
"value": "El paquete apt, en Debian jessie en versiones anteriores a la 1.0.9.8.4; Debian inestable en versiones anteriores a la 1.4~beta2; Ubuntu 14.04 LTS en versiones anteriores a la 1.0.1ubuntu2.17; Ubuntu 16.04 LTS en versiones anteriores a la 1.2.15ubuntu0.2 y en Ubuntu 16.10 en versiones anteriores a la 1.3.2ubuntu0.1, permite que atacantes Man-in-the-Middle (MitM) eludan un mecanismo de protecci\u00f3n de firma de repositorios aprovechando la manipulaci\u00f3n indebida de errores al validar las firmas de archivos InRelease."
}
],
"id": "CVE-2016-1252",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-12-05T16:29:00.203",
"references": [
{
"source": "security@debian.org",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"source": "security@debian.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"source": "security@debian.org",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"source": "security@debian.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/40916/"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-0489
Vulnerability from fkie_nvd - Published: 2014-11-03 22:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | 1.0.3 | |
| debian | advanced_package_tool | 1.0.5 | |
| debian | advanced_package_tool | 1.0.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3D0444-F401-4A5A-9825-8CEECF37CFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6D2D0DC-5985-4C92-85FE-DE73082F89DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1AE05C16-DD11-4B09-A617-0C23D4A47D1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package."
},
{
"lang": "es",
"value": "APT anterior a 1.0.9, cunado la opci\u00f3n Acquire::GzipIndexes est\u00e1 habilitada, no valida checksums, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un paquete manipulado."
}
],
"id": "CVE-2014-0489",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-03T22:55:07.397",
"references": [
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-0490
Vulnerability from fkie_nvd - Published: 2014-11-03 22:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | * | |
| debian | advanced_package_tool | 1.0.3 | |
| debian | advanced_package_tool | 1.0.4 | |
| debian | advanced_package_tool | 1.0.5 | |
| debian | advanced_package_tool | 1.0.6 | |
| debian | advanced_package_tool | 1.0.7 | |
| linux | linux_kernel | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2D494E62-30B6-4C8B-B738-4C7387BEEDDC",
"versionEndIncluding": "1.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3D0444-F401-4A5A-9825-8CEECF37CFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "A07B36A9-6A7C-44EC-A2EC-0ADF6382FE98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "F6D2D0DC-5985-4C92-85FE-DE73082F89DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "556CF838-1C75-44A9-B484-31FABC3AA6F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1AE05C16-DD11-4B09-A617-0C23D4A47D1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"matchCriteriaId": "155AD4FB-E527-4103-BCEF-801B653DEA37",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package."
},
{
"lang": "es",
"value": "El comando de descarga apt-get en APT anterior a 1.0.9 no valida debidamente las firmas para paquetes, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un paquete manipulado."
}
],
"id": "CVE-2014-0490",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-03T22:55:07.447",
"references": [
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-0488
Vulnerability from fkie_nvd - Published: 2014-11-03 22:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | 1.0.3 | |
| debian | advanced_package_tool | 1.0.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3D0444-F401-4A5A-9825-8CEECF37CFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1AE05C16-DD11-4B09-A617-0C23D4A47D1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not \"invalidate repository data\" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data."
},
{
"lang": "es",
"value": "APT anterior a 1.0.9 no \u0027invalida los datos del repositorio\u0027 cuando se traslada de un estado no autenticado a uno autenticado, lo que permite a atacantes remotos tener un impacto no especificado a trav\u00e9s de datos del repositorio manipulados."
}
],
"id": "CVE-2014-0488",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-03T22:55:07.350",
"references": [
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-0487
Vulnerability from fkie_nvd - Published: 2014-11-03 22:55 - Updated: 2025-04-12 10:46
Severity ?
Summary
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| debian | advanced_package_tool | 1.0.3 | |
| debian | advanced_package_tool | 1.0.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3B3D0444-F401-4A5A-9825-8CEECF37CFE7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:debian:advanced_package_tool:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "1AE05C16-DD11-4B09-A617-0C23D4A47D1E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors."
},
{
"lang": "es",
"value": "APT anterior a 1.0.9 no verifica ficheros descargados si han sido modificados como indica utilizando la cabecera If-Modified-Since, lo que tiene un impacto y vectores de ataque no especificados."
}
],
"id": "CVE-2014-0487",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-11-03T22:55:07.303",
"references": [
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "security@debian.org",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "security@debian.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "security@debian.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/61286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"sourceIdentifier": "security@debian.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-27350 (GCVE-0-2020-27350)
Vulnerability from cvelistv5 – Published: 2020-12-10 04:05 – Updated: 2024-09-17 04:29
VLAI?
Summary
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
Severity ?
5.7 (Medium)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
Kevin Backhouse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.2.32ubuntu0.2",
"status": "affected",
"version": "1.2.32ubuntu0",
"versionType": "custom"
},
{
"lessThan": "1.6.12ubuntu0.2",
"status": "affected",
"version": "1.6.12ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.0.2ubuntu0.2",
"status": "affected",
"version": "2.0.2ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.1.10ubuntu0.1",
"status": "affected",
"version": "2.1.10ubuntu0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-08T11:06:12",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4667-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
},
"title": "apt integer wraparound",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-09T00:00:00.000Z",
"ID": "CVE-2020-27350",
"STATE": "PUBLIC",
"TITLE": "apt integer wraparound"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.32ubuntu0",
"version_value": "1.2.32ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "1.6.12ubuntu0",
"version_value": "1.6.12ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "2.0.2ubuntu0",
"version_value": "2.0.2ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "2.1.10ubuntu0",
"version_value": "2.1.10ubuntu0.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-190 Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4667-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"name": "https://bugs.launchpad.net/bugs/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210108-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4667-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27350",
"datePublished": "2020-12-10T04:05:18.456615Z",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-09-17T04:29:18.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27351 (GCVE-0-2020-27351)
Vulnerability from cvelistv5 – Published: 2020-12-10 04:05 – Updated: 2024-09-16 22:15
VLAI?
Summary
Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;
Severity ?
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | python-apt |
Affected:
1.1.0~beta1 , < 1.1.0~beta1ubuntu0.16.04.10
(custom)
Affected: 1.6.5ubuntu0 , < 1.6.5ubuntu0.4 (custom) Affected: 2.0.0ubuntu0 , < 2.0.0ubuntu0.20.04.2 (custom) Affected: 2.1.3ubuntu1 , < 2.1.3ubuntu1.1 (custom) |
Credits
Kevin Backhouse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.10",
"status": "affected",
"version": "1.1.0~beta1",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.4",
"status": "affected",
"version": "1.6.5ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.0.0ubuntu0.20.04.2",
"status": "affected",
"version": "2.0.0ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.1.3ubuntu1.1",
"status": "affected",
"version": "2.1.3ubuntu1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-10T11:06:07",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4668-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
},
"title": "Various memory and file descriptor leaks in apt-python",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-09T00:00:00.000Z",
"ID": "CVE-2020-27351",
"STATE": "PUBLIC",
"TITLE": "Various memory and file descriptor leaks in apt-python"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "python-apt",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.0~beta1",
"version_value": "1.1.0~beta1ubuntu0.16.04.10"
},
{
"version_affected": "\u003c",
"version_name": "1.6.5ubuntu0",
"version_value": "1.6.5ubuntu0.4"
},
{
"version_affected": "\u003c",
"version_name": "2.0.0ubuntu0",
"version_value": "2.0.0ubuntu0.20.04.2"
},
{
"version_affected": "\u003c",
"version_name": "2.1.3ubuntu1",
"version_value": "2.1.3ubuntu1.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-772 Missing Release of Resource after Effective Lifetime"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.launchpad.net/bugs/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "https://usn.ubuntu.com/usn/usn-4668-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4809"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4668-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27351",
"datePublished": "2020-12-10T04:05:18.897719Z",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-09-16T22:15:18.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-3374 (GCVE-0-2011-3374)
Vulnerability from cvelistv5 – Published: 2019-11-25 23:13 – Updated: 2024-08-06 23:29
VLAI?
Summary
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:29:56.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt",
"vendor": "apt",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T12:30:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-3374",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "apt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"name": "https://access.redhat.com/security/cve/cve-2011-3374",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"name": "https://snyk.io/vuln/SNYK-LINUX-APT-116518",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"name": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html",
"refsource": "MISC",
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"name": "https://seclists.org/fulldisclosure/2011/Sep/221",
"refsource": "MISC",
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"name": "https://ubuntu.com/security/CVE-2011-3374",
"refsource": "MISC",
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-3374",
"datePublished": "2019-11-25T23:13:02",
"dateReserved": "2011-08-30T00:00:00",
"dateUpdated": "2024-08-06T23:29:56.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3462 (GCVE-0-2019-3462)
Vulnerability from cvelistv5 – Published: 2019-01-28 21:00 – Updated: 2024-09-16 16:32
VLAI?
Summary
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
Severity ?
No CVSS data available.
CWE
- Remote code execution in apt
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian GNU/Linux | apt as used in Debian Stretch and Ubuntu |
Affected:
1.4.8 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106690",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt as used in Debian Stretch and Ubuntu",
"vendor": "Debian GNU/Linux",
"versions": [
{
"status": "affected",
"version": "1.4.8 and earlier"
}
]
}
],
"datePublic": "2019-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution in apt",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-04T16:06:05",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "106690",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2019-01-22T00:00:00",
"ID": "CVE-2019-3462",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt as used in Debian Stretch and Ubuntu",
"version": {
"version_data": [
{
"version_value": "1.4.8 and earlier"
}
]
}
}
]
},
"vendor_name": "Debian GNU/Linux"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution in apt"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106690",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190125-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2019-3462",
"datePublished": "2019-01-28T21:00:00Z",
"dateReserved": "2018-12-31T00:00:00",
"dateUpdated": "2024-09-16T16:32:28.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0501 (GCVE-0-2018-0501)
Vulnerability from cvelistv5 – Published: 2018-08-21 00:00 – Updated: 2024-08-05 03:28
VLAI?
Summary
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
Severity ?
No CVSS data available.
CWE
- lack of signature verification
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 |
Affected:
APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:28:10.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3"
}
]
}
],
"datePublic": "2018-08-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "lack of signature verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-21T09:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2018-0501",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3",
"version": {
"version_data": [
{
"version_value": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "lack of signature verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mirror.fail",
"refsource": "MISC",
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"name": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47",
"refsource": "MISC",
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"name": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec",
"refsource": "MISC",
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2018-0501",
"datePublished": "2018-08-21T00:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:28:10.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1252 (GCVE-0-2016-1252)
Vulnerability from cvelistv5 – Published: 2017-12-05 16:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3733",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-05T15:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "DSA-3733",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3733",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"name": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1252",
"datePublished": "2017-12-05T16:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0490 (GCVE-0-2014-0490)
Vulnerability from cvelistv5 – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0490",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0487 (GCVE-0-2014-0487)
Vulnerability from cvelistv5 – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0487",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0487",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0488 (GCVE-0-2014-0488)
Vulnerability from cvelistv5 – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not \"invalidate repository data\" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0488",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9 does not \"invalidate repository data\" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0488",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0489 (GCVE-0-2014-0489)
Vulnerability from cvelistv5 – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0489",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27350 (GCVE-0-2020-27350)
Vulnerability from nvd – Published: 2020-12-10 04:05 – Updated: 2024-09-17 04:29
VLAI?
Summary
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;
Severity ?
5.7 (Medium)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
Kevin Backhouse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.2.32ubuntu0.2",
"status": "affected",
"version": "1.2.32ubuntu0",
"versionType": "custom"
},
{
"lessThan": "1.6.12ubuntu0.2",
"status": "affected",
"version": "1.6.12ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.0.2ubuntu0.2",
"status": "affected",
"version": "2.0.2ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.1.10ubuntu0.1",
"status": "affected",
"version": "2.1.10ubuntu0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-08T11:06:12",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4667-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
},
"title": "apt integer wraparound",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-09T00:00:00.000Z",
"ID": "CVE-2020-27350",
"STATE": "PUBLIC",
"TITLE": "apt integer wraparound"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.2.32ubuntu0",
"version_value": "1.2.32ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "1.6.12ubuntu0",
"version_value": "1.6.12ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "2.0.2ubuntu0",
"version_value": "2.0.2ubuntu0.2"
},
{
"version_affected": "\u003c",
"version_name": "2.1.10ubuntu0",
"version_value": "2.1.10ubuntu0.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-190 Integer Overflow or Wraparound"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://usn.ubuntu.com/usn/usn-4667-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4667-1"
},
{
"name": "https://bugs.launchpad.net/bugs/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "DSA-4808",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4808"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210108-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210108-0005/"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4667-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27350",
"datePublished": "2020-12-10T04:05:18.456615Z",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-09-17T04:29:18.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27351 (GCVE-0-2020-27351)
Vulnerability from nvd – Published: 2020-12-10 04:05 – Updated: 2024-09-16 22:15
VLAI?
Summary
Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;
Severity ?
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | python-apt |
Affected:
1.1.0~beta1 , < 1.1.0~beta1ubuntu0.16.04.10
(custom)
Affected: 1.6.5ubuntu0 , < 1.6.5ubuntu0.4 (custom) Affected: 2.0.0ubuntu0 , < 2.0.0ubuntu0.20.04.2 (custom) Affected: 2.1.3ubuntu1 , < 2.1.3ubuntu1.1 (custom) |
Credits
Kevin Backhouse
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:11:36.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.10",
"status": "affected",
"version": "1.1.0~beta1",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.4",
"status": "affected",
"version": "1.6.5ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.0.0ubuntu0.20.04.2",
"status": "affected",
"version": "2.0.0ubuntu0",
"versionType": "custom"
},
{
"lessThan": "2.1.3ubuntu1.1",
"status": "affected",
"version": "2.1.3ubuntu1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Kevin Backhouse"
}
],
"datePublic": "2020-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772 Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-10T11:06:07",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4809"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4668-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
},
"title": "Various memory and file descriptor leaks in apt-python",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2020-12-09T00:00:00.000Z",
"ID": "CVE-2020-27351",
"STATE": "PUBLIC",
"TITLE": "Various memory and file descriptor leaks in apt-python"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "python-apt",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.1.0~beta1",
"version_value": "1.1.0~beta1ubuntu0.16.04.10"
},
{
"version_affected": "\u003c",
"version_name": "1.6.5ubuntu0",
"version_value": "1.6.5ubuntu0.4"
},
{
"version_affected": "\u003c",
"version_name": "2.0.0ubuntu0",
"version_value": "2.0.0ubuntu0.20.04.2"
},
{
"version_affected": "\u003c",
"version_name": "2.1.3ubuntu1",
"version_value": "2.1.3ubuntu1.1"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Kevin Backhouse"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-772 Missing Release of Resource after Effective Lifetime"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.launchpad.net/bugs/1899193",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/bugs/1899193"
},
{
"name": "https://usn.ubuntu.com/usn/usn-4668-1",
"refsource": "MISC",
"url": "https://usn.ubuntu.com/usn/usn-4668-1"
},
{
"name": "DSA-4809",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4809"
}
]
},
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4668-1",
"defect": [
"https://bugs.launchpad.net/bugs/1899193"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2020-27351",
"datePublished": "2020-12-10T04:05:18.897719Z",
"dateReserved": "2020-10-20T00:00:00",
"dateUpdated": "2024-09-16T22:15:18.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-3374 (GCVE-0-2011-3374)
Vulnerability from nvd – Published: 2019-11-25 23:13 – Updated: 2024-08-06 23:29
VLAI?
Summary
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
Severity ?
No CVSS data available.
CWE
- Other
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:29:56.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt",
"vendor": "apt",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Other",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T12:30:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2011-3374",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt",
"version": {
"version_data": [
{
"version_value": "All versions"
}
]
}
}
]
},
"vendor_name": "apt"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security-tracker.debian.org/tracker/CVE-2011-3374",
"refsource": "MISC",
"url": "https://security-tracker.debian.org/tracker/CVE-2011-3374"
},
{
"name": "https://access.redhat.com/security/cve/cve-2011-3374",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/cve-2011-3374"
},
{
"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480",
"refsource": "MISC",
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480"
},
{
"name": "https://snyk.io/vuln/SNYK-LINUX-APT-116518",
"refsource": "MISC",
"url": "https://snyk.io/vuln/SNYK-LINUX-APT-116518"
},
{
"name": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html",
"refsource": "MISC",
"url": "https://people.canonical.com/~ubuntu-security/cve/2011/CVE-2011-3374.html"
},
{
"name": "https://seclists.org/fulldisclosure/2011/Sep/221",
"refsource": "MISC",
"url": "https://seclists.org/fulldisclosure/2011/Sep/221"
},
{
"name": "https://ubuntu.com/security/CVE-2011-3374",
"refsource": "MISC",
"url": "https://ubuntu.com/security/CVE-2011-3374"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2011-3374",
"datePublished": "2019-11-25T23:13:02",
"dateReserved": "2011-08-30T00:00:00",
"dateUpdated": "2024-08-06T23:29:56.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3462 (GCVE-0-2019-3462)
Vulnerability from nvd – Published: 2019-01-28 21:00 – Updated: 2024-09-16 16:32
VLAI?
Summary
Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
Severity ?
No CVSS data available.
CWE
- Remote code execution in apt
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Debian GNU/Linux | apt as used in Debian Stretch and Ubuntu |
Affected:
1.4.8 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.590Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "106690",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "apt as used in Debian Stretch and Ubuntu",
"vendor": "Debian GNU/Linux",
"versions": [
{
"status": "affected",
"version": "1.4.8 and earlier"
}
]
}
],
"datePublic": "2019-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote code execution in apt",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-04T16:06:05",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "106690",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f%40%3Cdevnull.infra.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"DATE_PUBLIC": "2019-01-22T00:00:00",
"ID": "CVE-2019-3462",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "apt as used in Debian Stretch and Ubuntu",
"version": {
"version_data": [
{
"version_value": "1.4.8 and earlier"
}
]
}
}
]
},
"vendor_name": "Debian GNU/Linux"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote code execution in apt"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "106690",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106690"
},
{
"name": "USN-3863-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3863-1/"
},
{
"name": "USN-3863-2",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3863-2/"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00013.html"
},
{
"name": "DSA-4371",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4371"
},
{
"name": "[debian-lts-announce] 20190122 [SECURITY] [DLA 1637-1] apt security update (amended)",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00014.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190125-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190125-0002/"
},
{
"name": "[infra-devnull] 20190404 [GitHub] [incubator-openwhisk-runtime-ballerina] falkzoll commented on issue #15: Update to new base image jdk8u202-b08_openj9-0.12.1.",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2019-3462",
"datePublished": "2019-01-28T21:00:00Z",
"dateReserved": "2018-12-31T00:00:00",
"dateUpdated": "2024-09-16T16:32:28.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0501 (GCVE-0-2018-0501)
Vulnerability from nvd – Published: 2018-08-21 00:00 – Updated: 2024-08-05 03:28
VLAI?
Summary
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
Severity ?
No CVSS data available.
CWE
- lack of signature verification
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 |
Affected:
APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:28:10.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3"
}
]
}
],
"datePublic": "2018-08-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "lack of signature verification",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-08-21T09:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2018-0501",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3",
"version": {
"version_data": [
{
"version_value": "APT 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "lack of signature verification"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mirror.fail",
"refsource": "MISC",
"url": "https://mirror.fail"
},
{
"name": "USN-3746-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3746-1/"
},
{
"name": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47",
"refsource": "MISC",
"url": "https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47"
},
{
"name": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec",
"refsource": "MISC",
"url": "https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2018-0501",
"datePublished": "2018-08-21T00:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:28:10.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1252 (GCVE-0-2016-1252)
Vulnerability from nvd – Published: 2017-12-05 16:00 – Updated: 2024-08-05 22:48
VLAI?
Summary
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:48:13.650Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3733",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-12-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-05T15:57:01",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "DSA-3733",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2016-1252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3733",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2016/dsa-3733"
},
{
"name": "USN-3156-1",
"refsource": "UBUNTU",
"url": "http://www.ubuntu.com/usn/USN-3156-1"
},
{
"name": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/140145/apt-Repository-Signing-Bypass.html"
},
{
"name": "40916",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/40916/"
},
{
"name": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467"
},
{
"name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020",
"refsource": "MISC",
"url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1020"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2016-1252",
"datePublished": "2017-12-05T16:00:00",
"dateReserved": "2015-12-27T00:00:00",
"dateUpdated": "2024-08-05T22:48:13.650Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0490 (GCVE-0-2014-0490)
Vulnerability from nvd – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.503Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0490",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0490",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0487 (GCVE-0-2014-0487)
Vulnerability from nvd – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0487",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0487",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0488 (GCVE-0-2014-0488)
Vulnerability from nvd – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9 does not \"invalidate repository data\" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0488",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9 does not \"invalidate repository data\" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0488",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.468Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-0489 (GCVE-0-2014-0489)
Vulnerability from nvd – Published: 2014-11-03 22:00 – Updated: 2024-08-06 09:20
VLAI?
Summary
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:20:18.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-11-03T21:57:00",
"orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"shortName": "debian"
},
"references": [
{
"name": "61286",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-3025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@debian.org",
"ID": "CVE-2014-0489",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61286",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61286"
},
{
"name": "61275",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61275"
},
{
"name": "USN-2348-1",
"refsource": "UBUNTU",
"url": "http://ubuntu.com/usn/usn-2348-1"
},
{
"name": "DSA-3025",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-3025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5",
"assignerShortName": "debian",
"cveId": "CVE-2014-0489",
"datePublished": "2014-11-03T22:00:00",
"dateReserved": "2013-12-19T00:00:00",
"dateUpdated": "2024-08-06T09:20:18.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}