CVE-2015-3406Incorrect Conversion between Numeric Types in Project Module-signature

CWE-681Incorrect Conversion between Numeric TypesCWE-347Improper Verification of Cryptographic Signature8 documents7 sources
Severity
7.5HIGHNVD
EPSS
1.3%
top 20.52%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Module-signature Project Module-signatureDebian Libmodule-signature-perlCanonical Ubuntu Linux
Timeline
PublishedNov 29
Latest updateMay 24

Description

The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

debiandebian/libmodule-signature-perl< libmodule-signature-perl 0.78-1 (bookworm)

Also affects: Ubuntu Linux 12.04, 14.04, 14.10, 15.04

Patches

Patch: ubuntu.comPatch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

3
GHSA
GHSA-2jr6-2g4g-4jhj: The PGP signature parsing in Module::Signature before 02022-05-24
OSV
CVE-2015-3406: The PGP signature parsing in Module::Signature before 02019-11-29
OSV
libmodule-signature-perl vulnerabilities2015-05-12

📋Vendor Advisories

3
Ubuntu
Module::Signature vulnerabilities2015-05-12
Red Hat
perl-Module-Signature: unsigned files interpreted as signed in some circumstances2015-04-05
Debian
CVE-2015-3406: libmodule-signature-perl - The PGP signature parsing in Module::Signature before 0.74 allows remote attacke...2015

💬Community

1
Bugzilla
CVE-2015-3406 perl-Module-Signature: unsigned files interpreted as signed in some circumstances2015-04-08
CVE-2015-3406 — Project Module-signature vulnerability | cvebase