Vulnerability Details : CVE-2015-1330
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vectors.
Vulnerability category: BypassGain privilege
Exploit prediction scoring system (EPSS) score for CVE-2015-1330
Probability of exploitation activity in the next 30 days: 0.15%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 51 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-1330
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2015-1330
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1330
-
http://www.ubuntu.com/usn/USN-2657-1
USN-2657-1: unattended-upgrades vulnerability | Ubuntu security notices
-
http://www.debian.org/security/2015/dsa-3297
Debian -- Security Information -- DSA-3297-1 unattended-upgrades
-
http://www.securitytracker.com/id/1032738
unattended-upgrades File Authentication Bypass Flaw Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
http://metadata.ftp-master.debian.org/changelogs//main/u/unattended-upgrades/unattended-upgrades_0.86.1_changelog
404 Not Found
Products affected by CVE-2015-1330
- cpe:2.3:a:debian:unattended-upgrades:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*