CVE-2015-3406 : The PGP signature parsing in Module::Signature before 0.74 allows remote attacke

The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.

Published 2019-11-29 21:15:11

Updated 2019-12-16 19:48:01

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2015-3406

Canonical » Ubuntu Linux » Version: 15.04
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 14.10
cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
Matching versions
Module-signature Project » Module-signature
Versions before (<) 0.74
cpe:2.3:a:module-signature_project:module-signature:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-3406

EPSS FAQ

1.34%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-3406

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2015-3406

CWE-681 Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-3406

https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f

* Fix issues reported by John Lightsey · audreyt/module-signature@8a91645 · GitHub
Patch;Third Party Advisory

CVEs referencing this url
http://ubuntu.com/usn/usn-2607-1

USN-2607-1: Module::Signature vulnerabilities | Ubuntu security notices
Patch;Release Notes;Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2015/04/23/17

oss-security - Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities
Mailing List;Patch;Third Party Advisory

CVEs referencing this url
https://metacpan.org/changes/distribution/Module-Signature

Changes - metacpan.org
Release Notes;Vendor Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2015/04/07/1

oss-security - CVE request: Module::Signature before 0.75 - multiple vulnerabilities
Mailing List;Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2015-3406

Products affected by CVE-2015-3406

Exploit prediction scoring system (EPSS) score for CVE-2015-3406

CVSS scores for CVE-2015-3406

CWE ids for CVE-2015-3406

References for CVE-2015-3406