Lucene search

[email protected]CVE-2020-27350

HistoryDec 10, 2020 - 4:15 a.m.

CVE-2020-27350

2020-12-1004:15:11

CWE-190

[email protected]

web.nvd.nist.gov

269

cve-2020-27350

apt

integer overflows

underflows

.deb packages

ghsl-2020-168

ghsl-2020-169

5.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

5.2 Medium

AI Score

Confidence

High

4.6 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

17.3%

JSON

APT had several integer overflows and underflows while parsing .deb packages, aka GHSL-2020-168 GHSL-2020-169, in files apt-pkg/contrib/extracttar.cc, apt-pkg/deb/debfile.cc, and apt-pkg/contrib/arfile.cc. This issue affects: apt 1.2.32ubuntu0 versions prior to 1.2.32ubuntu0.2; 1.6.12ubuntu0 versions prior to 1.6.12ubuntu0.2; 2.0.2ubuntu0 versions prior to 2.0.2ubuntu0.2; 2.1.10ubuntu0 versions prior to 2.1.10ubuntu0.1;

Affected configurations

NVD

Node

debianadvanced_package_toolRange1.2.32ubuntu0–1.2.32ubuntu0.2

AND

canonicalubuntu_linuxMatch16.04lts

Node

debianadvanced_package_toolRange1.6.12ubuntu0–1.6.12ubuntu0.2

AND

canonicalubuntu_linuxMatch18.04lts

Node

debianadvanced_package_toolRange2.0.2ubuntu0–2.0.2ubuntu0.2

AND

canonicalubuntu_linuxMatch20.04lts

Node

debianadvanced_package_toolRange2.1.10ubuntu0–2.1.10ubuntu0.2

AND

canonicalubuntu_linuxMatch20.10

Node

debianadvanced_package_toolRange<1.8.2.2

AND

debiandebian_linuxMatch10.0

Node

netappsolidfire_baseboard_management_controller_firmwareMatch-

AND

netappsolidfire_baseboard_management_controllerMatch-

CPENameOperatorVersion
debian:advanced_package_tooldebian advanced package toollt1.2.32ubuntu0.2

CPE	Name	Operator	Version
debian:advanced_package_tool	debian advanced package tool	lt	1.2.32ubuntu0.2

CNA Affected

[
  {
    "product": "apt",
    "vendor": "Canonical",
    "versions": [
      {
        "lessThan": "1.2.32ubuntu0.2",
        "status": "affected",
        "version": "1.2.32ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "1.6.12ubuntu0.2",
        "status": "affected",
        "version": "1.6.12ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "2.0.2ubuntu0.2",
        "status": "affected",
        "version": "2.0.2ubuntu0",
        "versionType": "custom"
      },
      {
        "lessThan": "2.1.10ubuntu0.1",
        "status": "affected",
        "version": "2.1.10ubuntu0",
        "versionType": "custom"
      }
    ]
  }
]