CVE Vulnerabilities

CVE-2016-1252

Improper Certificate Validation

Published: Dec 05, 2017 | Modified: Aug 14, 2020
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
HIGH

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Advanced_package_tool Debian * 1.0.9.8.4 (excluding)
Apt Ubuntu devel *
Apt Ubuntu esm-infra/xenial *
Apt Ubuntu trusty *
Apt Ubuntu trusty/esm *
Apt Ubuntu vivid/stable-phone-overlay *
Apt Ubuntu vivid/ubuntu-core *
Apt Ubuntu xenial *
Apt Ubuntu yakkety *
Apt Ubuntu zesty *

Potential Mitigations

References