Search criteria
6 vulnerabilities found for python-apt by debian
FKIE_CVE-2019-15795
Vulnerability from fkie_nvd - Published: 2020-03-26 13:15 - Updated: 2024-11-21 04:29
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://usn.ubuntu.com/4247-1/ | Patch, Vendor Advisory | |
| security@ubuntu.com | https://usn.ubuntu.com/4247-3/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4247-1/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4247-3/ | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.0:ubuntu9:*:*:*:*:*:*",
"matchCriteriaId": "C8023A14-4ECA-4A75-8171-26709D2D3792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "1EF9A385-956B-472C-A679-A3FE4AC00592",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "D8875AAE-0C17-4D78-AFE4-6BB22EB77954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "A863CCB4-564A-4B48-B848-BDD4136E6344",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu3:*:*:*:*:*:*",
"matchCriteriaId": "1C8E5FCA-385C-417C-99F5-D567561FF726",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu4:*:*:*:*:*:*",
"matchCriteriaId": "9007120A-79E2-40BB-AF85-7D3A5BA12D57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu5:*:*:*:*:*:*",
"matchCriteriaId": "17342A94-F344-48F4-AF01-C8D9787A026F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu6:*:*:*:*:*:*",
"matchCriteriaId": "AF594C79-79DF-4347-A032-D9E33BE17D56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7:*:*:*:*:*:*",
"matchCriteriaId": "4ABCF70B-DCD4-4D2A-830D-4BE9E4E0CC20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.1:*:*:*:*:*:*",
"matchCriteriaId": "ED043341-3D12-4BAD-B064-1FD31BD94EBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.2:*:*:*:*:*:*",
"matchCriteriaId": "B68421C7-67B0-418E-A1F4-D202AF56A074",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.3:*:*:*:*:*:*",
"matchCriteriaId": "85D25189-5488-4C05-A187-CBD57F0BFB6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B9412B9A-6972-4250-98C6-2D24FD3CA870",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "F8F30079-BCC5-4764-BA0B-B788054D4A1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BECDB14E-DCF8-40E6-9A69-DD4B33689481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5FCC5B74-E260-4420-BA69-52D931D0816A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build1:*:*:*:*:*:*",
"matchCriteriaId": "78BD7CBD-B1A5-4998-A356-96B6EBB69884",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build2:*:*:*:*:*:*",
"matchCriteriaId": "E022EBAC-22FD-4174-BD9C-FDC8C59B4EA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "76BB9D6E-960E-441B-9BE6-A91871F8BF2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95AAB90A-99D3-42B7-AC6D-F292F5DC338D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "78EFED05-114B-4ACC-ACE7-4862FF3CEF21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "492F2102-1B12-49BA-ACAD-811896D6D41C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "F7B9C782-B85D-40B0-9B2D-3A0E0717124F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BBE95FDD-1DD6-4EE1-BBDB-466286246D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "BED15761-D52F-4DFA-B311-5E83C098CA92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DA6E2809-0168-40ED-8E6D-11EFEAD691E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:build1:*:*:*:*:*:*",
"matchCriteriaId": "17F79D9B-B0E4-4DE3-B56E-8C0DB7D11B06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EE723A31-105B-4B7A-BD36-39F66F2D328A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "420F0F94-6271-46B6-A764-F80734025924",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "4FBFE40A-1CFD-421F-9EB1-78A655CB4D18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu3:*:*:*:*:*:*",
"matchCriteriaId": "365D175D-306D-4FF2-9AFC-6E61C5EC4894",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:build1:*:*:*:*:*:*",
"matchCriteriaId": "13651D35-2210-459D-ACF9-24098BA9FA94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "CABE1D3B-3CF8-4CEE-AD4B-A763041E06C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "77EB9A5F-D8DA-497F-BF0E-A59859C7866D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4E64022C-0775-4DD2-9B57-490EE4E5147C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1build1:*:*:*:*:*:*",
"matchCriteriaId": "09B3C47B-8C39-454E-9604-61EFF6F271E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.1:*:*:*:*:*:*",
"matchCriteriaId": "84D6B098-CDA0-489A-A0F2-9E30398ACFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.2:*:*:*:*:*:*",
"matchCriteriaId": "DC1A8478-5D50-4574-8ED5-D4DC1617128C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.3:*:*:*:*:*:*",
"matchCriteriaId": "02ED67EF-AD26-44D9-966E-7F2EFACA98FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.4:*:*:*:*:*:*",
"matchCriteriaId": "8EF37D60-DF9C-494D-9E99-CAF2688D2709",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.5:*:*:*:*:*:*",
"matchCriteriaId": "DF4CF123-0348-4DBA-87AC-8C02CB6C560A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "14C28F87-5F9F-4DC6-A690-0CFDDD3C4345",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0C32BE0B-1346-4ED3-8A80-4AA6EE2FD44B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3build2:*:*:*:*:*:*",
"matchCriteriaId": "223E48D6-EFD6-43CC-8A57-3FBE61007B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "276A516B-F419-4922-AD3D-089D894B75EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A174B38B-D155-4D1D-82CC-B62380F68D33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A8692D74-6D5C-4606-BB15-7ADF95E22171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "2C96734E-FB35-4525-B69F-00BB8F210459",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "F4B4B6D1-9399-4EA1-B4CE-82E1148E9894",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3781605F-02A1-40CC-9D02-E2140B1B3064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E05CF21E-EACE-4B18-9180-03B0983F95AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "307ECCEB-8E55-49FC-B44F-319BC07F0A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5C00B937-3F2A-4E3C-8C09-ECF01662A05B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "DE4A7E7B-C520-4B56-A802-96DBE153284C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5290F1FF-D143-4B10-BE1A-3BBC17D42A6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "A20E9163-0590-44C8-81EF-DE999F9D504A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "3F84F347-CBD7-4E07-AF93-997E7C6569CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "ACA89794-91C5-48BD-AF40-971D892717EC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A5C41C59-4955-42D5-8724-A67D8DA7B9E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "163726B0-4A4F-4F7E-9A48-06BEFC29DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "1BC6ADE4-D2AB-424F-A63D-57840016D6F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "1BBD93FF-57C9-488E-8C11-CFA8EC1C5345",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C378E5B-9AF4-436C-BAE6-1A009F5D490E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6726FF84-F4DF-47A9-910B-9288D57A22BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAC0AE27-85A4-4F6C-80E3-08A6B45F267C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
},
{
"lang": "es",
"value": "Python-apt solo comprueba las cantidades MD5 de los archivos descargados en las funciones \"Version.fetch_binary()\" y \"Version.fetch_source()\" del archivo apt/package.py en la versi\u00f3n 1.9.0ubuntu1 y anteriores. Esto permite un ataque de tipo man-in-the-middle que podr\u00eda ser usado para instalar paquetes alterados y ha sido corregido en las versiones 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9. 3.5ubuntu3+esm2, y 0.8.3ubuntu7.5."
}
],
"id": "CVE-2019-15795",
"lastModified": "2024-11-21T04:29:29.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-26T13:15:12.750",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/4247-3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2019-15796
Vulnerability from fkie_nvd - Published: 2020-03-26 13:15 - Updated: 2024-11-21 04:29
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://usn.ubuntu.com/4247-1/ | Patch, Third Party Advisory | |
| security@ubuntu.com | https://usn.ubuntu.com/4247-3/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4247-1/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://usn.ubuntu.com/4247-3/ | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.0:ubuntu9:*:*:*:*:*:*",
"matchCriteriaId": "C8023A14-4ECA-4A75-8171-26709D2D3792",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "1EF9A385-956B-472C-A679-A3FE4AC00592",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "D8875AAE-0C17-4D78-AFE4-6BB22EB77954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "A863CCB4-564A-4B48-B848-BDD4136E6344",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu3:*:*:*:*:*:*",
"matchCriteriaId": "1C8E5FCA-385C-417C-99F5-D567561FF726",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu4:*:*:*:*:*:*",
"matchCriteriaId": "9007120A-79E2-40BB-AF85-7D3A5BA12D57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu5:*:*:*:*:*:*",
"matchCriteriaId": "17342A94-F344-48F4-AF01-C8D9787A026F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu6:*:*:*:*:*:*",
"matchCriteriaId": "AF594C79-79DF-4347-A032-D9E33BE17D56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7:*:*:*:*:*:*",
"matchCriteriaId": "4ABCF70B-DCD4-4D2A-830D-4BE9E4E0CC20",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.1:*:*:*:*:*:*",
"matchCriteriaId": "ED043341-3D12-4BAD-B064-1FD31BD94EBF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.2:*:*:*:*:*:*",
"matchCriteriaId": "B68421C7-67B0-418E-A1F4-D202AF56A074",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.3:*:*:*:*:*:*",
"matchCriteriaId": "85D25189-5488-4C05-A187-CBD57F0BFB6B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B9412B9A-6972-4250-98C6-2D24FD3CA870",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "F8F30079-BCC5-4764-BA0B-B788054D4A1C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "BECDB14E-DCF8-40E6-9A69-DD4B33689481",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5FCC5B74-E260-4420-BA69-52D931D0816A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build1:*:*:*:*:*:*",
"matchCriteriaId": "78BD7CBD-B1A5-4998-A356-96B6EBB69884",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build2:*:*:*:*:*:*",
"matchCriteriaId": "E022EBAC-22FD-4174-BD9C-FDC8C59B4EA9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "76BB9D6E-960E-441B-9BE6-A91871F8BF2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "95AAB90A-99D3-42B7-AC6D-F292F5DC338D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "78EFED05-114B-4ACC-ACE7-4862FF3CEF21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "492F2102-1B12-49BA-ACAD-811896D6D41C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "F7B9C782-B85D-40B0-9B2D-3A0E0717124F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BBE95FDD-1DD6-4EE1-BBDB-466286246D34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "BED15761-D52F-4DFA-B311-5E83C098CA92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "DA6E2809-0168-40ED-8E6D-11EFEAD691E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:build1:*:*:*:*:*:*",
"matchCriteriaId": "17F79D9B-B0E4-4DE3-B56E-8C0DB7D11B06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EE723A31-105B-4B7A-BD36-39F66F2D328A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "420F0F94-6271-46B6-A764-F80734025924",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "4FBFE40A-1CFD-421F-9EB1-78A655CB4D18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu3:*:*:*:*:*:*",
"matchCriteriaId": "365D175D-306D-4FF2-9AFC-6E61C5EC4894",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
"matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:build1:*:*:*:*:*:*",
"matchCriteriaId": "13651D35-2210-459D-ACF9-24098BA9FA94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "CABE1D3B-3CF8-4CEE-AD4B-A763041E06C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "77EB9A5F-D8DA-497F-BF0E-A59859C7866D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "4E64022C-0775-4DD2-9B57-490EE4E5147C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1build1:*:*:*:*:*:*",
"matchCriteriaId": "09B3C47B-8C39-454E-9604-61EFF6F271E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.1:*:*:*:*:*:*",
"matchCriteriaId": "84D6B098-CDA0-489A-A0F2-9E30398ACFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.2:*:*:*:*:*:*",
"matchCriteriaId": "DC1A8478-5D50-4574-8ED5-D4DC1617128C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.3:*:*:*:*:*:*",
"matchCriteriaId": "02ED67EF-AD26-44D9-966E-7F2EFACA98FD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.4:*:*:*:*:*:*",
"matchCriteriaId": "8EF37D60-DF9C-494D-9E99-CAF2688D2709",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.5:*:*:*:*:*:*",
"matchCriteriaId": "DF4CF123-0348-4DBA-87AC-8C02CB6C560A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:debian:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "14C28F87-5F9F-4DC6-A690-0CFDDD3C4345",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0C32BE0B-1346-4ED3-8A80-4AA6EE2FD44B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3build2:*:*:*:*:*:*",
"matchCriteriaId": "223E48D6-EFD6-43CC-8A57-3FBE61007B43",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "276A516B-F419-4922-AD3D-089D894B75EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A174B38B-D155-4D1D-82CC-B62380F68D33",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "A8692D74-6D5C-4606-BB15-7ADF95E22171",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "2C96734E-FB35-4525-B69F-00BB8F210459",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "F4B4B6D1-9399-4EA1-B4CE-82E1148E9894",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "3781605F-02A1-40CC-9D02-E2140B1B3064",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E05CF21E-EACE-4B18-9180-03B0983F95AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "307ECCEB-8E55-49FC-B44F-319BC07F0A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5C00B937-3F2A-4E3C-8C09-ECF01662A05B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "DE4A7E7B-C520-4B56-A802-96DBE153284C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5290F1FF-D143-4B10-BE1A-3BBC17D42A6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
"matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "A20E9163-0590-44C8-81EF-DE999F9D504A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "3F84F347-CBD7-4E07-AF93-997E7C6569CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "ACA89794-91C5-48BD-AF40-971D892717EC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
"matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A5C41C59-4955-42D5-8724-A67D8DA7B9E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "163726B0-4A4F-4F7E-9A48-06BEFC29DC6F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
"matchCriteriaId": "1BC6ADE4-D2AB-424F-A63D-57840016D6F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
"matchCriteriaId": "1BBD93FF-57C9-488E-8C11-CFA8EC1C5345",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1C378E5B-9AF4-436C-BAE6-1A009F5D490E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "6726FF84-F4DF-47A9-910B-9288D57A22BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAC0AE27-85A4-4F6C-80E3-08A6B45F267C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
"matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Python-apt doesn\u0027t check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn\u0027t be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
},
{
"lang": "es",
"value": "Python-apt no comprueba si los hashes est\u00e1n firmados en las funciones \"Version.fetch_binary()\" y \"Version.fetch_source()\" del archivo apt/package.py o en la funci\u00f3n \"_fetch_archives()\" del archivo apt/cache.py en versi\u00f3n 1.9. 3ubuntu2 y anteriores. Esto permite descargas desde repositorios no firmados que no deber\u00edan ser permitidos y ha sido corregido en las versiones 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2 y 0.8.3ubuntu7.5."
}
],
"id": "CVE-2019-15796",
"lastModified": "2024-11-21T04:29:29.153",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-26T13:15:12.843",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4247-3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-347"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-15795 (GCVE-0-2019-15795)
Vulnerability from cvelistv5 – Published: 2020-03-26 13:00 – Updated: 2024-09-16 19:45
VLAI?
Summary
python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity ?
4.7 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Python-apt |
Affected:
0.8.3 , < 0.8.3ubuntu7.5
(custom)
Affected: 0.9.3.5 , < 0.9.3.5ubuntu3+esm2 (custom) Affected: 1.1.0 , < 1.1.0~beta1ubuntu0.16.04.7 (custom) Affected: 1.6.5 , < 1.6.5ubuntu0.1 (custom) Affected: 1.9.0 , < 1.9.0ubuntu1.2 (custom) |
Credits
Julian Andres Klode
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "0.8.3ubuntu7.5",
"status": "affected",
"version": "0.8.3",
"versionType": "custom"
},
{
"lessThan": "0.9.3.5ubuntu3+esm2",
"status": "affected",
"version": "0.9.3.5",
"versionType": "custom"
},
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.7",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.1",
"status": "affected",
"version": "1.6.5",
"versionType": "custom"
},
{
"lessThan": "1.9.0ubuntu1.2",
"status": "affected",
"version": "1.9.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Julian Andres Klode"
}
],
"datePublic": "2019-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-26T13:00:21",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
],
"discovery": "UNKNOWN"
},
"title": "python-apt uses MD5 for validation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-08-06T16:33:00.000Z",
"ID": "CVE-2019-15795",
"STATE": "PUBLIC",
"TITLE": "python-apt uses MD5 for validation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Python-apt",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.8.3",
"version_value": "0.8.3ubuntu7.5"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.9.3.5",
"version_value": "0.9.3.5ubuntu3+esm2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.1.0",
"version_value": "1.1.0~beta1ubuntu0.16.04.7"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.6.5",
"version_value": "1.6.5ubuntu0.1"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.0",
"version_value": "1.9.0ubuntu1.2"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-3/"
}
]
},
"solution": [],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-15795",
"datePublished": "2020-03-26T13:00:21.299320Z",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-09-16T19:45:50.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15796 (GCVE-0-2019-15796)
Vulnerability from cvelistv5 – Published: 2020-03-26 13:00 – Updated: 2024-09-16 22:14
VLAI?
Summary
Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity ?
4.7 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Python-apt |
Affected:
0.8.3 , < 0.8.3ubuntu7.5
(custom)
Affected: 0.9.3.5 , < 0.9.3.5ubuntu3+esm2 (custom) Affected: 1.1.0 , < 1.1.0~beta1ubuntu0.16.04.7 (custom) Affected: 1.6.5 , < 1.6.5ubuntu0.1 (custom) Affected: 1.9.0 , < 1.9.0ubuntu1.2 (custom) Affected: 1.9.5 , < 1.9.5 (custom) |
Credits
Julian Andres Klode
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "0.8.3ubuntu7.5",
"status": "affected",
"version": "0.8.3",
"versionType": "custom"
},
{
"lessThan": "0.9.3.5ubuntu3+esm2",
"status": "affected",
"version": "0.9.3.5",
"versionType": "custom"
},
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.7",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.1",
"status": "affected",
"version": "1.6.5",
"versionType": "custom"
},
{
"lessThan": "1.9.0ubuntu1.2",
"status": "affected",
"version": "1.9.0",
"versionType": "custom"
},
{
"lessThan": "1.9.5",
"status": "affected",
"version": "1.9.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Julian Andres Klode"
}
],
"datePublic": "2019-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Python-apt doesn\u0027t check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn\u0027t be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-26T13:00:21",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/4247-1/",
"defect": [
"https://bugs.launchpad.net/bugs/1858973"
],
"discovery": "UNKNOWN"
},
"title": "python-apt downloads from untrusted sources",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-12-12T17:47:00.000Z",
"ID": "CVE-2019-15796",
"STATE": "PUBLIC",
"TITLE": "python-apt downloads from untrusted sources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Python-apt",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.8.3",
"version_value": "0.8.3ubuntu7.5"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.9.3.5",
"version_value": "0.9.3.5ubuntu3+esm2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.1.0",
"version_value": "1.1.0~beta1ubuntu0.16.04.7"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.6.5",
"version_value": "1.6.5ubuntu0.1"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.0",
"version_value": "1.9.0ubuntu1.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.5",
"version_value": "1.9.5"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Python-apt doesn\u0027t check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn\u0027t be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-3/"
}
]
},
"solution": [],
"source": {
"advisory": "https://usn.ubuntu.com/4247-1/",
"defect": [
"https://bugs.launchpad.net/bugs/1858973"
],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-15796",
"datePublished": "2020-03-26T13:00:21.745369Z",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-09-16T22:14:45.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15795 (GCVE-0-2019-15795)
Vulnerability from nvd – Published: 2020-03-26 13:00 – Updated: 2024-09-16 19:45
VLAI?
Summary
python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity ?
4.7 (Medium)
CWE
- CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Python-apt |
Affected:
0.8.3 , < 0.8.3ubuntu7.5
(custom)
Affected: 0.9.3.5 , < 0.9.3.5ubuntu3+esm2 (custom) Affected: 1.1.0 , < 1.1.0~beta1ubuntu0.16.04.7 (custom) Affected: 1.6.5 , < 1.6.5ubuntu0.1 (custom) Affected: 1.9.0 , < 1.9.0ubuntu1.2 (custom) |
Credits
Julian Andres Klode
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.746Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "0.8.3ubuntu7.5",
"status": "affected",
"version": "0.8.3",
"versionType": "custom"
},
{
"lessThan": "0.9.3.5ubuntu3+esm2",
"status": "affected",
"version": "0.9.3.5",
"versionType": "custom"
},
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.7",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.1",
"status": "affected",
"version": "1.6.5",
"versionType": "custom"
},
{
"lessThan": "1.9.0ubuntu1.2",
"status": "affected",
"version": "1.9.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Julian Andres Klode"
}
],
"datePublic": "2019-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-26T13:00:21",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
],
"discovery": "UNKNOWN"
},
"title": "python-apt uses MD5 for validation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-08-06T16:33:00.000Z",
"ID": "CVE-2019-15795",
"STATE": "PUBLIC",
"TITLE": "python-apt uses MD5 for validation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Python-apt",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.8.3",
"version_value": "0.8.3ubuntu7.5"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.9.3.5",
"version_value": "0.9.3.5ubuntu3+esm2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.1.0",
"version_value": "1.1.0~beta1ubuntu0.16.04.7"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.6.5",
"version_value": "1.6.5ubuntu0.1"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.0",
"version_value": "1.9.0ubuntu1.2"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-3/"
}
]
},
"solution": [],
"source": {
"advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
"defect": [
"https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-15795",
"datePublished": "2020-03-26T13:00:21.299320Z",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-09-16T19:45:50.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-15796 (GCVE-0-2019-15796)
Vulnerability from nvd – Published: 2020-03-26 13:00 – Updated: 2024-09-16 22:14
VLAI?
Summary
Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
Severity ?
4.7 (Medium)
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Canonical | Python-apt |
Affected:
0.8.3 , < 0.8.3ubuntu7.5
(custom)
Affected: 0.9.3.5 , < 0.9.3.5ubuntu3+esm2 (custom) Affected: 1.1.0 , < 1.1.0~beta1ubuntu0.16.04.7 (custom) Affected: 1.6.5 , < 1.6.5ubuntu0.1 (custom) Affected: 1.9.0 , < 1.9.0ubuntu1.2 (custom) Affected: 1.9.5 , < 1.9.5 (custom) |
Credits
Julian Andres Klode
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:56:22.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Python-apt",
"vendor": "Canonical",
"versions": [
{
"lessThan": "0.8.3ubuntu7.5",
"status": "affected",
"version": "0.8.3",
"versionType": "custom"
},
{
"lessThan": "0.9.3.5ubuntu3+esm2",
"status": "affected",
"version": "0.9.3.5",
"versionType": "custom"
},
{
"lessThan": "1.1.0~beta1ubuntu0.16.04.7",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
},
{
"lessThan": "1.6.5ubuntu0.1",
"status": "affected",
"version": "1.6.5",
"versionType": "custom"
},
{
"lessThan": "1.9.0ubuntu1.2",
"status": "affected",
"version": "1.9.0",
"versionType": "custom"
},
{
"lessThan": "1.9.5",
"status": "affected",
"version": "1.9.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Julian Andres Klode"
}
],
"datePublic": "2019-12-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Python-apt doesn\u0027t check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn\u0027t be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-26T13:00:21",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4247-3/"
}
],
"source": {
"advisory": "https://usn.ubuntu.com/4247-1/",
"defect": [
"https://bugs.launchpad.net/bugs/1858973"
],
"discovery": "UNKNOWN"
},
"title": "python-apt downloads from untrusted sources",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "",
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2019-12-12T17:47:00.000Z",
"ID": "CVE-2019-15796",
"STATE": "PUBLIC",
"TITLE": "python-apt downloads from untrusted sources"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Python-apt",
"version": {
"version_data": [
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.8.3",
"version_value": "0.8.3ubuntu7.5"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "0.9.3.5",
"version_value": "0.9.3.5ubuntu3+esm2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.1.0",
"version_value": "1.1.0~beta1ubuntu0.16.04.7"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.6.5",
"version_value": "1.6.5ubuntu0.1"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.0",
"version_value": "1.9.0ubuntu1.2"
},
{
"platform": "",
"version_affected": "\u003c",
"version_name": "1.9.5",
"version_value": "1.9.5"
}
]
}
}
]
},
"vendor_name": "Canonical"
}
]
}
},
"configuration": [],
"credit": [
{
"lang": "eng",
"value": "Julian Andres Klode"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Python-apt doesn\u0027t check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn\u0027t be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
}
]
},
"exploit": [],
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-287 Improper Authentication"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-1/"
},
{
"name": "",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4247-3/"
}
]
},
"solution": [],
"source": {
"advisory": "https://usn.ubuntu.com/4247-1/",
"defect": [
"https://bugs.launchpad.net/bugs/1858973"
],
"discovery": "UNKNOWN"
},
"work_around": []
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2019-15796",
"datePublished": "2020-03-26T13:00:21.745369Z",
"dateReserved": "2019-08-29T00:00:00",
"dateUpdated": "2024-09-16T22:14:45.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}