CVE-2012-0954 — Improper Input Validation in Advanced Package Tool

CWE-20 — Improper Input Validation6 documents6 sources

Severity

2.6LOWNVD

EPSS

0.4%

top 41.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian APT Debian Advanced Package Tool

Timeline

PublishedJun 19

Latest updateMay 13

Description

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

▶Debiandebian/apt< 0.7.25+3

▶NVDdebian/advanced_package_tool49 versions+48

🔴Vulnerability Details

GHSA

GHSA-86m4-88r3-mw4c: APT 0↗2022-05-13

▶

CVEList

CVE-2012-0954: APT 0↗2012-06-19

▶

OSV

CVE-2012-0954: APT 0↗2012-06-19

▶

📋Vendor Advisories

Ubuntu

APT vulnerability↗2012-06-15

▶

Debian

CVE-2012-0954: apt - APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-upda...↗2012

▶