Vulnerability Name:

CVE-2019-15796 (CCN-175014)

Assigned:2019-08-29
Published:2020-01-23
Updated:2020-10-19
Summary:Python-apt doesn't check if hashes are signed in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py or in `_fetch_archives()` of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.
CVSS v3 Severity:4.7 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
4.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-347
CWE-287
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2019-15796

Source: XF
Type: UNKNOWN
pythonapt-cve201915796-sec-bypass(175014)

Source: CCN
Type: Packet Storm Security [01-23-2020]
Ubuntu Security Notice USN-4247-3

Source: CCN
Type: Python Web site
python-apt

Source: UBUNTU
Type: Patch, Third Party Advisory
N/A

Source: UBUNTU
Type: Patch, Third Party Advisory
N/A

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ubuntu:python-apt:0.8.0:ubuntu9:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.1:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu3:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu4:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu5:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu6:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu7:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu7.1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu7.2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.3:ubuntu7.3:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

    • Configuration 2:
  • cpe:/a:ubuntu:python-apt:0.8.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.8.9.1:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.1:build1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.1:build2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.1:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.2:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.2:ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.3:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.4:build1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.5:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.5:ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:0.9.3.5:ubuntu3:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

    • Configuration 3:
  • cpe:/a:ubuntu:python-apt:1.0.1:build1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.0.1:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.0.1:ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1build1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.3:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.4:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.1.0:beta1ubuntu0.16.04.5:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

    • Configuration 4:
  • cpe:/a:debian:python-apt:1.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.4.0:beta3build2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.4.0:beta3ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.0:rc2ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.0:rc2ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.2:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.3:ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

    • Configuration 5:
  • cpe:/a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.9.0:alpha0~ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.9.0:alpha0~ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.9.0:ubuntu1:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/a:ubuntu:python-apt:1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.0:alpha0~ubuntu1:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.0:alpha0~ubuntu2:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.2:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:ubuntu:python-apt:1.8.4:*:*:*:*:*:*:*
  • AND
  • cpe:/o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.disco:def:2019157960000000
    V
    		CVE-2019-15796 on Ubuntu 19.04 (disco) - medium.
    2020-01-20
    oval:com.ubuntu.bionic:def:2019157960000000
    V
    		CVE-2019-15796 on Ubuntu 18.04 LTS (bionic) - medium.
    2020-01-20
    oval:com.ubuntu.xenial:def:2019157960000000
    V
    		CVE-2019-15796 on Ubuntu 16.04 LTS (xenial) - medium.
    2020-01-20
    BACK
    ubuntu python-apt 0.8.0 ubuntu9
    ubuntu python-apt 0.8.1 ubuntu1
    ubuntu python-apt 0.8.3 ubuntu1
    ubuntu python-apt 0.8.3 ubuntu2
    ubuntu python-apt 0.8.3 ubuntu3
    ubuntu python-apt 0.8.3 ubuntu4
    ubuntu python-apt 0.8.3 ubuntu5
    ubuntu python-apt 0.8.3 ubuntu6
    ubuntu python-apt 0.8.3 ubuntu7
    ubuntu python-apt 0.8.3 ubuntu7.1
    ubuntu python-apt 0.8.3 ubuntu7.2
    ubuntu python-apt 0.8.3 ubuntu7.3
    canonical ubuntu linux 12.04
    ubuntu python-apt 0.8.9.1
    ubuntu python-apt 0.8.9.1 ubuntu1
    ubuntu python-apt 0.9.0
    ubuntu python-apt 0.9.1
    ubuntu python-apt 0.9.1 build1
    ubuntu python-apt 0.9.1 build2
    ubuntu python-apt 0.9.1 ubuntu1
    ubuntu python-apt 0.9.3.1
    ubuntu python-apt 0.9.3.2
    ubuntu python-apt 0.9.3.2 ubuntu1
    ubuntu python-apt 0.9.3.2 ubuntu2
    ubuntu python-apt 0.9.3.3
    ubuntu python-apt 0.9.3.3 ubuntu1
    ubuntu python-apt 0.9.3.4
    ubuntu python-apt 0.9.3.4 build1
    ubuntu python-apt 0.9.3.5
    ubuntu python-apt 0.9.3.5 ubuntu1
    ubuntu python-apt 0.9.3.5 ubuntu2
    ubuntu python-apt 0.9.3.5 ubuntu3
    canonical ubuntu linux 14.04
    ubuntu python-apt 1.0.1 build1
    ubuntu python-apt 1.0.1 ubuntu1
    ubuntu python-apt 1.0.1 ubuntu2
    ubuntu python-apt 1.1.0 beta1
    ubuntu python-apt 1.1.0 beta1build1
    ubuntu python-apt 1.1.0 beta1ubuntu0.16.04.1
    ubuntu python-apt 1.1.0 beta1ubuntu0.16.04.2
    ubuntu python-apt 1.1.0 beta1ubuntu0.16.04.3
    ubuntu python-apt 1.1.0 beta1ubuntu0.16.04.4
    ubuntu python-apt 1.1.0 beta1ubuntu0.16.04.5
    canonical ubuntu linux 16.04
    debian python-apt 1.8.4
    ubuntu python-apt 1.4.0
    ubuntu python-apt 1.4.0 beta3build2
    ubuntu python-apt 1.4.0 beta3ubuntu1
    ubuntu python-apt 1.6.0
    ubuntu python-apt 1.6.0 rc1
    ubuntu python-apt 1.6.0 rc2ubuntu1
    ubuntu python-apt 1.6.0 rc2ubuntu2
    ubuntu python-apt 1.6.0 rc3
    ubuntu python-apt 1.6.1
    ubuntu python-apt 1.6.2
    ubuntu python-apt 1.6.3
    ubuntu python-apt 1.6.3 ubuntu1
    ubuntu python-apt 1.6.4
    ubuntu python-apt 1.8.4
    canonical ubuntu linux 18.04
    ubuntu python-apt 1.8.4
    ubuntu python-apt 1.9.0 alpha0~ubuntu1
    ubuntu python-apt 1.9.0 alpha0~ubuntu2
    ubuntu python-apt 1.9.0 ubuntu1
    canonical ubuntu linux 19.10
    ubuntu python-apt 1.7.0
    ubuntu python-apt 1.8.0
    ubuntu python-apt 1.8.0 alpha0~ubuntu1
    ubuntu python-apt 1.8.0 alpha0~ubuntu2
    ubuntu python-apt 1.8.1
    ubuntu python-apt 1.8.2
    ubuntu python-apt 1.8.3
    ubuntu python-apt 1.8.4
    canonical ubuntu linux 19.04