Lucene search

DebianCVE-2014-0478

HistoryJun 17, 2014 - 2:55 p.m.

CVE-2014-0478

2014-06-1714:55:06

CWE-20

debian

web.nvd.nist.gov

cve-2014-0478

apt

security vulnerability

validation

source packages

man-in-the-middle

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:P/A:P

AI Score

6.2

Confidence

Low

EPSS

0.001

Percentile

44.3%

JSON

APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.

Affected configurations

Nvd

Node

debianadvanced_package_toolRange≤1.0.3

VendorProductVersionCPE
debianadvanced_package_tool*cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
debian	advanced_package_tool	*	cpe:2.3:a:debian:advanced_package_tool::::::::

References

secunia.com/advisories/58843

secunia.com/advisories/59358

www.debian.org/security/2014/dsa-2958

www.ubuntu.com/usn/USN-2246-1

bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:P/A:P

AI Score

6.2

Confidence

Low

EPSS

0.001

Percentile

44.3%

JSON

Related for CVE-2014-0478