Lucene search

Ubuntu.comUB:CVE-2016-1587

HistoryOct 27, 2016 - 12:00 a.m.

CVE-2016-1587

2016-10-2700:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.0%

JSON

The Snapweb interface before version 0.21.2 was exposing controls to
install or remove snap packages without controlling the identity of the
user, nor the origin of the connection. An attacker could have used the
controls to remotely add a valid, but malicious, snap package, from the
Store, potentially using system resources without permission from the
legitimate administrator of the system.

Bugs

<https://launchpad.net/bugs/1637242>

Notes

Author	Note
tyhicks	snapweb is delivered as a snap and is not built as a deb in the Ubuntu archive

References

launchpad.net/bugs/cve/CVE-2016-1587

nvd.nist.gov/vuln/detail/CVE-2016-1587

security-tracker.debian.org/tracker/CVE-2016-1587

www.cve.org/CVERecord?id=CVE-2016-1587

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.0%

JSON

Related for UB:CVE-2016-1587