Vulnerability Details : CVE-2020-3810
Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2020-3810
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:debian:apt:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-3810
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-3810
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-3810
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-3810
-
https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6
SECURITY UPDATE: Fix out of bounds read in .ar and .tar implementation (CVE-2020-3810) (dceb1e49) · Commits · APT Developers / apt · GitLabPatch;Vendor Advisory
-
https://usn.ubuntu.com/4359-1/
USN-4359-1: APT vulnerability | Ubuntu security noticesThird Party Advisory
-
https://github.com/Debian/apt/issues/111
An out-of-bounds bug occurs in the Ararchive::Loadheaders function · Issue #111 · Debian/apt · GitHubExploit;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
[SECURITY] Fedora 32 Update: apt-2.1.7-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-security-announce/2020/msg00089.html
[SECURITY] [DSA 4685-1] apt security updateMailing List;Vendor Advisory
-
https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/
Debian Package TrackerRelease Notes;Vendor Advisory
-
https://bugs.launchpad.net/bugs/1878177
Bug #1878177 “CVE-2020-3810 out-of-bound stack reads in arfile” : Bugs : apt package : UbuntuIssue Tracking;Third Party Advisory
-
https://usn.ubuntu.com/4359-2/
USN-4359-2: APT vulnerability | Ubuntu security noticesThird Party Advisory
Jump to