fkie_nvd - fkie_cve-2019-15795

FKIE_CVE-2019-15795

Vulnerability from fkie_nvd - Published: 2020-03-26 13:15 - Updated: 2024-11-21 04:29

Severity ?

4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.

References

URL	Tags
security@ubuntu.com	https://usn.ubuntu.com/4247-1/	Patch, Vendor Advisory
security@ubuntu.com	https://usn.ubuntu.com/4247-3/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4247-1/	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4247-3/	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
ubuntu	python-apt	0.8.0
ubuntu	python-apt	0.8.1
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
ubuntu	python-apt	0.8.3
canonical	ubuntu_linux	12.04
ubuntu	python-apt	0.8.9.1
ubuntu	python-apt	0.8.9.1
ubuntu	python-apt	0.9.0
ubuntu	python-apt	0.9.1
ubuntu	python-apt	0.9.1
ubuntu	python-apt	0.9.1
ubuntu	python-apt	0.9.1
ubuntu	python-apt	0.9.3.1
ubuntu	python-apt	0.9.3.2
ubuntu	python-apt	0.9.3.2
ubuntu	python-apt	0.9.3.2
ubuntu	python-apt	0.9.3.3
ubuntu	python-apt	0.9.3.3
ubuntu	python-apt	0.9.3.4
ubuntu	python-apt	0.9.3.4
ubuntu	python-apt	0.9.3.5
ubuntu	python-apt	0.9.3.5
ubuntu	python-apt	0.9.3.5
ubuntu	python-apt	0.9.3.5
canonical	ubuntu_linux	14.04
ubuntu	python-apt	1.0.1
ubuntu	python-apt	1.0.1
ubuntu	python-apt	1.0.1
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
ubuntu	python-apt	1.1.0
canonical	ubuntu_linux	16.04
debian	python-apt	1.8.4
ubuntu	python-apt	1.4.0
ubuntu	python-apt	1.4.0
ubuntu	python-apt	1.4.0
ubuntu	python-apt	1.6.0
ubuntu	python-apt	1.6.0
ubuntu	python-apt	1.6.0
ubuntu	python-apt	1.6.0
ubuntu	python-apt	1.6.0
ubuntu	python-apt	1.6.1
ubuntu	python-apt	1.6.2
ubuntu	python-apt	1.6.3
ubuntu	python-apt	1.6.3
ubuntu	python-apt	1.6.4
ubuntu	python-apt	1.8.4
canonical	ubuntu_linux	18.04
ubuntu	python-apt	1.8.4
ubuntu	python-apt	1.9.0
ubuntu	python-apt	1.9.0
ubuntu	python-apt	1.9.0
canonical	ubuntu_linux	19.10
ubuntu	python-apt	1.7.0
ubuntu	python-apt	1.8.0
ubuntu	python-apt	1.8.0
ubuntu	python-apt	1.8.0
ubuntu	python-apt	1.8.1
ubuntu	python-apt	1.8.2
ubuntu	python-apt	1.8.3
ubuntu	python-apt	1.8.4
canonical	ubuntu_linux	19.04

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.0:ubuntu9:*:*:*:*:*:*",
              "matchCriteriaId": "C8023A14-4ECA-4A75-8171-26709D2D3792",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.1:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "1EF9A385-956B-472C-A679-A3FE4AC00592",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "D8875AAE-0C17-4D78-AFE4-6BB22EB77954",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "A863CCB4-564A-4B48-B848-BDD4136E6344",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu3:*:*:*:*:*:*",
              "matchCriteriaId": "1C8E5FCA-385C-417C-99F5-D567561FF726",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu4:*:*:*:*:*:*",
              "matchCriteriaId": "9007120A-79E2-40BB-AF85-7D3A5BA12D57",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu5:*:*:*:*:*:*",
              "matchCriteriaId": "17342A94-F344-48F4-AF01-C8D9787A026F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu6:*:*:*:*:*:*",
              "matchCriteriaId": "AF594C79-79DF-4347-A032-D9E33BE17D56",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7:*:*:*:*:*:*",
              "matchCriteriaId": "4ABCF70B-DCD4-4D2A-830D-4BE9E4E0CC20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.1:*:*:*:*:*:*",
              "matchCriteriaId": "ED043341-3D12-4BAD-B064-1FD31BD94EBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.2:*:*:*:*:*:*",
              "matchCriteriaId": "B68421C7-67B0-418E-A1F4-D202AF56A074",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.3:ubuntu7.3:*:*:*:*:*:*",
              "matchCriteriaId": "85D25189-5488-4C05-A187-CBD57F0BFB6B",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
              "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B9412B9A-6972-4250-98C6-2D24FD3CA870",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.8.9.1:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "F8F30079-BCC5-4764-BA0B-B788054D4A1C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "BECDB14E-DCF8-40E6-9A69-DD4B33689481",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5FCC5B74-E260-4420-BA69-52D931D0816A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build1:*:*:*:*:*:*",
              "matchCriteriaId": "78BD7CBD-B1A5-4998-A356-96B6EBB69884",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:build2:*:*:*:*:*:*",
              "matchCriteriaId": "E022EBAC-22FD-4174-BD9C-FDC8C59B4EA9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.1:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "76BB9D6E-960E-441B-9BE6-A91871F8BF2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "95AAB90A-99D3-42B7-AC6D-F292F5DC338D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "78EFED05-114B-4ACC-ACE7-4862FF3CEF21",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "492F2102-1B12-49BA-ACAD-811896D6D41C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.2:ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "F7B9C782-B85D-40B0-9B2D-3A0E0717124F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "BBE95FDD-1DD6-4EE1-BBDB-466286246D34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.3:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "BED15761-D52F-4DFA-B311-5E83C098CA92",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA6E2809-0168-40ED-8E6D-11EFEAD691E7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.4:build1:*:*:*:*:*:*",
              "matchCriteriaId": "17F79D9B-B0E4-4DE3-B56E-8C0DB7D11B06",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE723A31-105B-4B7A-BD36-39F66F2D328A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "420F0F94-6271-46B6-A764-F80734025924",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "4FBFE40A-1CFD-421F-9EB1-78A655CB4D18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:0.9.3.5:ubuntu3:*:*:*:*:*:*",
              "matchCriteriaId": "365D175D-306D-4FF2-9AFC-6E61C5EC4894",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*",
              "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:build1:*:*:*:*:*:*",
              "matchCriteriaId": "13651D35-2210-459D-ACF9-24098BA9FA94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "CABE1D3B-3CF8-4CEE-AD4B-A763041E06C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.0.1:ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "77EB9A5F-D8DA-497F-BF0E-A59859C7866D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "4E64022C-0775-4DD2-9B57-490EE4E5147C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1build1:*:*:*:*:*:*",
              "matchCriteriaId": "09B3C47B-8C39-454E-9604-61EFF6F271E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.1:*:*:*:*:*:*",
              "matchCriteriaId": "84D6B098-CDA0-489A-A0F2-9E30398ACFCD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.2:*:*:*:*:*:*",
              "matchCriteriaId": "DC1A8478-5D50-4574-8ED5-D4DC1617128C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.3:*:*:*:*:*:*",
              "matchCriteriaId": "02ED67EF-AD26-44D9-966E-7F2EFACA98FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.4:*:*:*:*:*:*",
              "matchCriteriaId": "8EF37D60-DF9C-494D-9E99-CAF2688D2709",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.5:*:*:*:*:*:*",
              "matchCriteriaId": "DF4CF123-0348-4DBA-87AC-8C02CB6C560A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:debian:python-apt:1.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "14C28F87-5F9F-4DC6-A690-0CFDDD3C4345",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C32BE0B-1346-4ED3-8A80-4AA6EE2FD44B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3build2:*:*:*:*:*:*",
              "matchCriteriaId": "223E48D6-EFD6-43CC-8A57-3FBE61007B43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.4.0:beta3ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "276A516B-F419-4922-AD3D-089D894B75EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A174B38B-D155-4D1D-82CC-B62380F68D33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "A8692D74-6D5C-4606-BB15-7ADF95E22171",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "2C96734E-FB35-4525-B69F-00BB8F210459",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc2ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "F4B4B6D1-9399-4EA1-B4CE-82E1148E9894",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3781605F-02A1-40CC-9D02-E2140B1B3064",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "E05CF21E-EACE-4B18-9180-03B0983F95AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "307ECCEB-8E55-49FC-B44F-319BC07F0A05",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C00B937-3F2A-4E3C-8C09-ECF01662A05B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.3:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "DE4A7E7B-C520-4B56-A802-96DBE153284C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.6.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "5290F1FF-D143-4B10-BE1A-3BBC17D42A6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*",
              "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "A20E9163-0590-44C8-81EF-DE999F9D504A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "3F84F347-CBD7-4E07-AF93-997E7C6569CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.9.0:ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "ACA89794-91C5-48BD-AF40-971D892717EC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.7.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A5C41C59-4955-42D5-8724-A67D8DA7B9E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "163726B0-4A4F-4F7E-9A48-06BEFC29DC6F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu1:*:*:*:*:*:*",
              "matchCriteriaId": "1BC6ADE4-D2AB-424F-A63D-57840016D6F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.0:alpha0\\~ubuntu2:*:*:*:*:*:*",
              "matchCriteriaId": "1BBD93FF-57C9-488E-8C11-CFA8EC1C5345",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C378E5B-9AF4-436C-BAE6-1A009F5D490E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "6726FF84-F4DF-47A9-910B-9288D57A22BA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FAC0AE27-85A4-4F6C-80E3-08A6B45F267C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "EE146221-82F3-4CDE-A713-6A3FA6742F71",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
    },
    {
      "lang": "es",
      "value": "Python-apt solo comprueba las cantidades MD5 de los archivos descargados en las funciones \"Version.fetch_binary()\" y \"Version.fetch_source()\" del archivo apt/package.py en la versi\u00f3n 1.9.0ubuntu1 y anteriores. Esto permite un ataque de tipo man-in-the-middle que podr\u00eda ser usado para instalar paquetes alterados y ha sido corregido en las versiones 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9. 3.5ubuntu3+esm2, y 0.8.3ubuntu7.5."
    }
  ],
  "id": "CVE-2019-15795",
  "lastModified": "2024-11-21T04:29:29.007",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "security@ubuntu.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-03-26T13:15:12.750",
  "references": [
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://usn.ubuntu.com/4247-1/"
    },
    {
      "source": "security@ubuntu.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://usn.ubuntu.com/4247-3/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://usn.ubuntu.com/4247-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://usn.ubuntu.com/4247-3/"
    }
  ],
  "sourceIdentifier": "security@ubuntu.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "security@ubuntu.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-327"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CVE-2019-15795 (GCVE-0-2019-15795)

Vulnerability from cvelistv5 – Published: 2020-03-26 13:00 – Updated: 2024-09-16 19:45

Summary

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Assigner

canonical

References

URL

Tags

	https://usn.ubuntu.com/4247-1/	vendor-advisoryx_refsource_UBUNTU
	https://usn.ubuntu.com/4247-3/	vendor-advisoryx_refsource_UBUNTU

Impacted products

	Vendor	Product	Version
	Canonical	Python-apt	Affected: 0.8.3 , < 0.8.3ubuntu7.5 (custom) Affected: 0.9.3.5 , < 0.9.3.5ubuntu3+esm2 (custom) Affected: 1.1.0 , < 1.1.0~beta1ubuntu0.16.04.7 (custom) Affected: 1.6.5 , < 1.6.5ubuntu0.1 (custom) Affected: 1.9.0 , < 1.9.0ubuntu1.2 (custom)

Credits

Julian Andres Klode

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:56:22.746Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4247-1/"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4247-3/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Python-apt",
          "vendor": "Canonical",
          "versions": [
            {
              "lessThan": "0.8.3ubuntu7.5",
              "status": "affected",
              "version": "0.8.3",
              "versionType": "custom"
            },
            {
              "lessThan": "0.9.3.5ubuntu3+esm2",
              "status": "affected",
              "version": "0.9.3.5",
              "versionType": "custom"
            },
            {
              "lessThan": "1.1.0~beta1ubuntu0.16.04.7",
              "status": "affected",
              "version": "1.1.0",
              "versionType": "custom"
            },
            {
              "lessThan": "1.6.5ubuntu0.1",
              "status": "affected",
              "version": "1.6.5",
              "versionType": "custom"
            },
            {
              "lessThan": "1.9.0ubuntu1.2",
              "status": "affected",
              "version": "1.9.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Julian Andres Klode"
        }
      ],
      "datePublic": "2019-08-06T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-327",
              "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-26T13:00:21",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4247-1/"
        },
        {
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4247-3/"
        }
      ],
      "source": {
        "advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
        "defect": [
          "https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "python-apt uses MD5 for validation",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "",
          "ASSIGNER": "security@ubuntu.com",
          "DATE_PUBLIC": "2019-08-06T16:33:00.000Z",
          "ID": "CVE-2019-15795",
          "STATE": "PUBLIC",
          "TITLE": "python-apt uses MD5 for validation"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Python-apt",
                      "version": {
                        "version_data": [
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "0.8.3",
                            "version_value": "0.8.3ubuntu7.5"
                          },
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "0.9.3.5",
                            "version_value": "0.9.3.5ubuntu3+esm2"
                          },
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "1.1.0",
                            "version_value": "1.1.0~beta1ubuntu0.16.04.7"
                          },
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "1.6.5",
                            "version_value": "1.6.5ubuntu0.1"
                          },
                          {
                            "platform": "",
                            "version_affected": "\u003c",
                            "version_name": "1.9.0",
                            "version_value": "1.9.0ubuntu1.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Canonical"
              }
            ]
          }
        },
        "configuration": [],
        "credit": [
          {
            "lang": "eng",
            "value": "Julian Andres Klode"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."
            }
          ]
        },
        "exploit": [],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4247-1/"
            },
            {
              "name": "",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4247-3/"
            }
          ]
        },
        "solution": [],
        "source": {
          "advisory": "https://usn.ubuntu.com/usn/usn-4247-1",
          "defect": [
            "https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": []
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2019-15795",
    "datePublished": "2020-03-26T13:00:21.299320Z",
    "dateReserved": "2019-08-29T00:00:00",
    "dateUpdated": "2024-09-16T19:45:50.191Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2019-15795

CVE-2019-15795 (GCVE-0-2019-15795)

Tags

Sightings

Nomenclature