CVE-2012-3587

CWE-20Improper Input ValidationCWE-190Integer Overflow10 documents7 sources
Severity
2.6LOW
EPSS
0.2%
top 63.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Debian Advanced Package Tool
Timeline
PublishedJun 19
Latest updateMay 13

Description

APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install Trojan horse packages via a man-in-the-middle (MITM) attack.

CVSS vector

AV:N/AC:H/C:N/I:P/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

Debianapt< 0.7.25+3
NVDdebian/advanced_package_tool49 versions+48

🔴Vulnerability Details

3
GHSA
GHSA-2c4h-r267-mgv3: APT 02022-05-13
CVEList
CVE-2012-3587: APT 02012-06-19
OSV
CVE-2012-3587: APT 02012-06-19

📋Vendor Advisories

3
Red Hat
file: incomplete fix for CVE-2012-1571 in cdf_read_property_info2014-08-21
Red Hat
BREACH attack against HTTP compression2013-08-02
Debian
CVE-2012-3587: apt - APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-upda...2012
CVE-2012-3587 (LOW CVSS 2.6) | APT 0.7.x before 0.7.25 and 0.8.x b | cvebase.io