CVE-2011-3634

CWE-200 — Information Exposure7 documents7 sources

Severity

2.6LOW

EPSS

0.2%

top 62.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Advanced Package Tool Canonical Ubuntu Linux

Timeline

PublishedMar 1

Latest updateMay 13

Description

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

▶Debianapt< 0.8.11+3

▶NVDdebian/advanced_package_tool0.8.10.3+5

Also affects: Ubuntu Linux 10.04, 10.10, 11.04, 8.04

🔴Vulnerability Details

GHSA

GHSA-rgc6-vjp8-p4rv: methods/https↗2022-05-13

▶

OSV

CVE-2011-3634: methods/https↗2014-03-01

▶

CVEList

CVE-2011-3634: methods/https↗2014-02-28

▶

📋Vendor Advisories

Ubuntu

APT vulnerability↗2011-11-28

▶

Debian

CVE-2011-3634: apt - methods/https.cc in apt before 0.8.11 accepts connections when the certificate h...↗2011

▶

💬Community

Bugzilla

CVE-2011-3634 apt: Did not honor Verify-Host configuration option properly↗2011-10-20

▶