CVE-2014-0490

The apt-get download command in APT before 1.0.9 does not properly validate signatures for packages, which allows remote attackers to execute arbitrary code via a crafted package.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
debianCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 70%
VendorProductVersion
debianadvanced_package_tool
𝑥
≤ 1.0.8
debianadvanced_package_tool
1.0.3
debianadvanced_package_tool
1.0.4
debianadvanced_package_tool
1.0.5
debianadvanced_package_tool
1.0.6
debianadvanced_package_tool
1.0.7
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
apt
bullseye
2.2.4
fixed
squeeze
not-affected
bookworm
2.6.1
fixed
sid
2.9.10
fixed
trixie
2.9.10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
apt
trusty
Fixed 1.0.1ubuntu2.3
released
precise
Fixed 0.8.16~exp12ubuntu10.19
released
lucid
Fixed 0.7.25.3ubuntu9.16
released
Common Weakness Enumeration
References
http://secunia.com/advisories/61275
http://secunia.com/advisories/61286
http://ubuntu.com/usn/usn-2348-1
http://www.debian.org/security/2014/dsa-3025
http://secunia.com/advisories/61275
http://secunia.com/advisories/61286
http://ubuntu.com/usn/usn-2348-1
http://www.debian.org/security/2014/dsa-3025