CVE-2014-0489

EUVD-2014-0520
APT before 1.0.9, when the Acquire::GzipIndexes option is enabled, does not validate checksums, which allows remote attackers to execute arbitrary code via a crafted package.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Affected Products (NVD)
VendorProductVersion
debianadvanced_package_tool
1.0.3
debianadvanced_package_tool
1.0.5
debianadvanced_package_tool
1.0.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apt
bookworm
2.6.1
fixed
bullseye
2.2.4
fixed
sid
2.9.10
fixed
trixie
2.9.10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apt
lucid
Fixed 0.7.25.3ubuntu9.16
released
precise
Fixed 0.8.16~exp12ubuntu10.19
released
trusty
Fixed 1.0.1ubuntu2.3
released
Common Weakness Enumeration
References
http://secunia.com/advisories/61275
http://secunia.com/advisories/61286
http://ubuntu.com/usn/usn-2348-1
http://www.debian.org/security/2014/dsa-3025
http://secunia.com/advisories/61275
http://secunia.com/advisories/61286
http://ubuntu.com/usn/usn-2348-1
http://www.debian.org/security/2014/dsa-3025