Vulnerabilities > Debian > Advanced Package Tool > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-12-10 CVE-2020-27350 Integer Overflow or Wraparound vulnerability in multiple products
APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc.
local
low complexity
debian netapp CWE-190
5.7
2019-11-26 CVE-2011-3374 Improper Verification of Cryptographic Signature vulnerability in Debian Advanced Package Tool and Debian Linux
It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.
network
debian CWE-347
4.3
2018-08-21 CVE-2018-0501 Improper Verification of Cryptographic Signature vulnerability in multiple products
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
network
high complexity
canonical debian CWE-347
5.9
2017-12-05 CVE-2016-1252 Improper Certificate Validation vulnerability in multiple products
The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.
4.3
2014-11-03 CVE-2014-0488 Improper Input Validation vulnerability in Debian Advanced Package Tool 1.0.3/1.0.7
APT before 1.0.9 does not "invalidate repository data" when moving from an unauthenticated to authenticated state, which allows remote attackers to have unspecified impact via crafted repository data.
network
debian CWE-20
6.8
2014-09-30 CVE-2014-6273 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Debian Advanced Package Tool
Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL.
network
debian CWE-119
6.8
2014-06-17 CVE-2014-0478 Improper Input Validation vulnerability in Debian Advanced Package Tool
APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.
network
high complexity
debian CWE-20
4.0
2013-03-21 CVE-2013-1051 Improper Input Validation vulnerability in multiple products
apt 0.8.16, 0.9.7, and possibly other versions does not properly handle InRelease files, which allows man-in-the-middle attackers to modify packages before installation via unknown vectors, possibly related to integrity checking and the use of third-party repositories.
4.3
2011-07-27 CVE-2011-1829 Improper Input Validation vulnerability in multiple products
APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message.
4.3