Vulnerability Name:

CVE-2015-3408 (CCN-105078)

Assigned:2015-04-06
Published:2015-04-06
Updated:2017-11-04
Summary:Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest.
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
6.9 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-77
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2015-3408

Source: UBUNTU
Type: UNKNOWN
USN-2607-1

Source: DEBIAN
Type: UNKNOWN
DSA-3261

Source: CCN
Type: oss-security Mailing List, Mon, 06 Apr 2015 23:52:09 -0500
CVE request: Module::Signature before 0.75 - multiple vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20150406 CVE request: Module::Signature before 0.75 - multiple vulnerabilities

Source: MLIST
Type: UNKNOWN
[oss-security] 20150423 Re: CVE request: Module::Signature before 0.75 - multiple vulnerabilities

Source: XF
Type: UNKNOWN
perl-signature-cve20153408-cmd-exec(105078)

Source: CONFIRM
Type: UNKNOWN
https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f

Source: CCN
Type: metacpan Web site
AUDREYT / Module-Signature-0.79 / Changes

Source: CONFIRM
Type: UNKNOWN
https://metacpan.org/changes/distribution/Module-Signature

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3408

Vulnerable Configuration:Configuration 1:
  • cpe:/a:module-signature_project:module-signature:*:*:*:*:*:*:*:* (Version <= 0.73)

    • Configuration 2:
  • cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20153408
    V
    		CVE-2015-3408
    2022-06-30
    oval:org.opensuse.security:def:113123
    P
    		perl-Module-Signature-0.81-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106557
    P
    		perl-Module-Signature-0.81-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.cisecurity:def:13
    P
    		DSA-3261-1 -- libmodule-signature-perl -- security update
    2016-02-08
    oval:com.ubuntu.precise:def:20153408000
    V
    		CVE-2015-3408 on Ubuntu 12.04 LTS (precise) - medium.
    2015-05-19
    oval:com.ubuntu.trusty:def:20153408000
    V
    		CVE-2015-3408 on Ubuntu 14.04 LTS (trusty) - medium.
    2015-05-19
    BACK
    module-signature_project module-signature *
    canonical ubuntu linux 12.04
    canonical ubuntu linux 14.04
    canonical ubuntu linux 14.10
    canonical ubuntu linux 15.04