Lucene search

K

[email protected]NVD:CVE-2011-3152

HistoryApr 27, 2014 - 8:55 p.m.

CVE-2011-3152

2014-04-2720:55:23

CWE-310

[email protected]

web.nvd.nist.gov

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.7%

DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87.31.1, 1:0.134.x before 1:0.134.11.1, 1:0.142.x before 1:0.142.23.1, 1:0.150.x before 1:0.150.5.1, and 1:0.152.x before 1:0.152.25.5 on Ubuntu 8.04 through 11.10 does not verify the GPG signature before extracting an upgrade tarball, which allows man-in-the-middle attackers to (1) create or overwrite arbitrary files via a directory traversal attack using a crafted tar file, or (2) bypass authentication via a crafted meta-release file.

Affected configurations

NVD

Node

canonicalupdate-managerRange≤1\:0.87.24

OR

canonicalupdate-managerMatch1\0.134.7

OR

canonicalupdate-managerMatch1\0.142.19

OR

canonicalupdate-managerMatch1\0.150

OR

canonicalupdate-managerMatch1\0.152.25

OR

canonicalubuntu_linuxMatch8.04-lts

OR

canonicalubuntu_linuxMatch10.04-lts

OR

canonicalubuntu_linuxMatch10.10

OR

canonicalubuntu_linuxMatch11.04

OR

canonicalubuntu_linuxMatch11.10

References

secunia.com/advisories/47024

www.osvdb.org/77642

www.securityfocus.com/bid/50833

www.ubuntu.com/usn/USN-1284-1

bugs.launchpad.net/ubuntu/%2Bsource/update-manager/%2Bbug/881548

exchange.xforce.ibmcloud.com/vulnerabilities/71494

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

49.7%

Related for NVD:CVE-2011-3152

ubuntucve1 seebug1 cve1 prion1 cvelist1 openvas4 ubuntu2 nessus2