5.9

CVE-2018-0501

The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CanonicalUbuntu Linux Version18.04 SwEditionlts
DebianAdvanced Package Tool Version >= 1.6.0 < 1.6.4
DebianAdvanced Package Tool Version1.7.0 Updatealpha
DebianAdvanced Package Tool Version1.7.0 Updatealpha1
DebianAdvanced Package Tool Version1.7.0 Updatealpha2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.95% 0.567
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://mirror.fail
Third Party Advisory
URL Repurposed
https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec
Patch
Third Party Advisory
https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47
Patch
Third Party Advisory
https://usn.ubuntu.com/3746-1/
Third Party Advisory