CVE-2020-27351 : Various memory and file descriptor leaks were found in apt-python files python/a

Various memory and file descriptor leaks were found in apt-python files python/arfile.cc, python/tag.cc, python/tarfile.cc, aka GHSL-2020-170. This issue affects: python-apt 1.1.0~beta1 versions prior to 1.1.0~beta1ubuntu0.16.04.10; 1.6.5ubuntu0 versions prior to 1.6.5ubuntu0.4; 2.0.0ubuntu0 versions prior to 2.0.0ubuntu0.20.04.2; 2.1.3ubuntu1 versions prior to 2.1.3ubuntu1.1;

Published 2020-12-10 04:15:12

Updated 2020-12-14 19:56:19

Source Canonical Ltd.

View at NVD, CVE.org

Products affected by CVE-2020-27351

Debian » Advanced Package Tool
Versions from including (>=) 2.0.0ubuntu0 and before (<) 2.0.0ubuntu0.20.04.2
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 20.04 LTS Edition
Debian » Advanced Package Tool
Versions from including (>=) 1.6.5ubuntu0 and before (<) 1.6.5ubuntu0.4
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
Debian » Advanced Package Tool
Versions from including (>=) 2.1.3ubuntu1 and before (<) 2.1.30ubuntu1.1
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 20.10
Debian » Advanced Package Tool
Versions from including (>=) 1.1.0\~beta1 and before (<) 1.1.0\~beta1ubuntu0.16.04.10
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
Matching versions
When used together with: Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
Debian » Advanced Package Tool
Versions before (<) 1.8.4.2
cpe:2.3:a:debian:advanced_package_tool:*:*:*:*:*:*:*:*
Matching versions
When used together with: Debian » Debian Linux » Version: 10.0

Exploit prediction scoring system (EPSS) score for CVE-2020-27351

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 14 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-27351

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:N/A:P	3.9	2.9	NIST
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
2.8	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L	1.3	1.4	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
2.0	LOW	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L	0.6	1.4	Canonical Ltd.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2020-27351

CWE-772 Missing Release of Resource after Effective Lifetime

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Assigned by:
- nvd@nist.gov (Primary)
- security@ubuntu.com (Secondary)

References for CVE-2020-27351

https://usn.ubuntu.com/usn/usn-4668-1

Vendor Advisory
https://www.debian.org/security/2020/dsa-4809

Debian -- Security Information -- DSA-4809-1 python-apt
Vendor Advisory
https://bugs.launchpad.net/bugs/1899193

Broken Link

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-27351

Products affected by CVE-2020-27351

Exploit prediction scoring system (EPSS) score for CVE-2020-27351

CVSS scores for CVE-2020-27351

CWE ids for CVE-2020-27351

References for CVE-2020-27351