CVE-2025-8454

EUVD-2025-23342
It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
debiandevscripts
2.25.15
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
devscripts
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
devscripts
bionic
deferred
focal
deferred
jammy
deferred
noble
deferred
plucky
ignored
questing
deferred
trusty
deferred
xenial
deferred
Common Weakness Enumeration
References
https://bugs.debian.org/1109251