Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-1252

CWE-295 โ€” Improper Certificate Validation7 documents7 sources
Severity
5.9MEDIUM
EPSS
6.0%
top 9.36%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Debian Advanced Package ToolCanonical Ubuntu Linux
Timeline
PublishedDec 5
Latest updateMay 13

Description

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

โ–ถNVDdebian/advanced_package_tool< 1.0.9.8.4
โ–ถDebianapt< 1.4~beta2+3

Also affects: Ubuntu Linux 14.04, 16.04, 16.10

๐Ÿ”ดVulnerability Details

3
GHSA
GHSA-53rm-7gr9-9hfx: The apt package in Debian jessie before 1โ†—2022-05-13
โ–ถ
CVEList
CVE-2016-1252: The apt package in Debian jessie before 1โ†—2017-12-05
โ–ถ
OSV
CVE-2016-1252: The apt package in Debian jessie before 1โ†—2017-12-05
โ–ถ

๐Ÿ’ฅExploits & PoCs

1
Exploit-DB
APT - Repository Signing Bypass via Memory Allocation Failureโ†—2016-12-14
โ–ถ

๐Ÿ“‹Vendor Advisories

2
Ubuntu
APT vulnerabilityโ†—2016-12-13
โ–ถ
Debian
CVE-2016-1252: apt - The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4...โ†—2016
โ–ถ
CVE-2016-1252 (MEDIUM CVSS 5.9) | The apt package in Debian jessie be | cvebase.io