CVE-2014-0478 — Improper Input Validation in Advanced Package Tool

CWE-20 — Improper Input Validation8 documents7 sources

Severity

4.0MEDIUMNVD

EPSS

0.2%

top 54.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian APT Debian Advanced Package Tool

Timeline

PublishedJun 17

Latest updateMay 13

Description

APT before 1.0.4 does not properly validate source packages, which allows man-in-the-middle attackers to download and install Trojan horse packages by removing the Release signature.

CVSS vector

AV:N/AC:H/C:N/I:P/A:PExploitability: 4.9 | Impact: 4.9

Affected Packages2 packages

▶Debiandebian/apt< 1.0.4+3

▶NVDdebian/advanced_package_tool1.0.3

🔴Vulnerability Details

GHSA

GHSA-3h3c-x5j6-p285: APT before 1↗2022-05-13

▶

OSV

CVE-2014-0478: APT before 1↗2014-06-17

▶

CVEList

CVE-2014-0478: APT before 1↗2014-06-17

▶

📋Vendor Advisories

Ubuntu

APT vulnerability↗2014-06-17

▶

Debian

CVE-2014-0478: apt - APT before 1.0.4 does not properly validate source packages, which allows man-in...↗2014

▶

💬Community

Bugzilla

CVE-2014-0478 apt: no source package authentication checks↗2014-06-13

▶

Bugzilla

CVE-2014-0478 apt: no source package authentication checks [fedora-all]↗2014-06-13

▶