Vulnerability Details : CVE-2015-1337
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2015-1337
Probability of exploitation activity in the next 30 days: 0.63%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 76 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-1337
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2015-1337
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-1337
-
http://www.ubuntu.com/usn/USN-2746-2
USN-2746-2: Simple Streams regression | Ubuntu security notices
-
https://bugs.launchpad.net/ubuntu/%2Bsource/simplestreams/%2Bbug/1487004
Bug #1487004 “Malicious server can bypass gpg verification and i...” : Bugs : simplestreams package : UbuntuExploit
-
http://www.ubuntu.com/usn/USN-2746-1
USN-2746-1: Simple Streams vulnerability | Ubuntu security notices
Products affected by CVE-2015-1337
- cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:a:simpestreams_project:simplestreams:-:*:*:*:*:*:*:*