Vulnerabilities > Debian > Advanced Package Tool

DATE CVE VULNERABILITY TITLE RISK
2020-12-10 CVE-2020-27351 Missing Release of Resource after Effective Lifetime vulnerability in Debian Advanced Package Tool
Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170.
local
low complexity
debian CWE-772
2.1
2020-12-10 CVE-2020-27350 Integer Overflow or Wraparound vulnerability in multiple products
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc.
local
low complexity
debian netapp CWE-190
5.7
2019-11-26 CVE-2011-3374 Improper Verification of Cryptographic Signature vulnerability in Debian Advanced Package Tool and Debian Linux
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
network
debian CWE-347
4.3
2019-01-28 CVE-2019-3462 Incorrect sanitation of the 302 redirect field in HTTP transport method of apt versions 1.4.8 and earlier can lead to content injection by a MITM attacker, potentially leading to remote code execution on the target machine.
network
high complexity
debian canonical netapp
8.1
2018-08-21 CVE-2018-0501 Improper Verification of Cryptographic Signature vulnerability in multiple products
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
network
high complexity
canonical debian CWE-347
5.9
2017-12-05 CVE-2016-1252 Improper Certificate Validation vulnerability in multiple products
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
4.3
2014-11-03 CVE-2014-0490 Improper Input Validation vulnerability in Debian Advanced Package Tool
The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
network
low complexity
debian linux CWE-20
7.5
2014-11-03 CVE-2014-0489 Improper Input Validation vulnerability in Debian Advanced Package Tool 1.0.3/1.0.5/1.0.7
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
network
low complexity
debian CWE-20
7.5
2014-11-03 CVE-2014-0488 Improper Input Validation vulnerability in Debian Advanced Package Tool 1.0.3/1.0.7
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
network
debian CWE-20
6.8
2014-11-03 CVE-2014-0487 Security Bypass vulnerability in apt
APT before 1.0.9 does not verify downloaded files if they have been modified as indicated using the If-Modified-Since header, which has unspecified impact and attack vectors.
network
low complexity
debian
7.5