CVE-2020-16122

2020-06-1300:00:00

ubuntu.com

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

Percentile

12.6%

JSON

PackageKit’s apt backend mistakenly treated all local debs as trusted. The
apt security model is based on repository trust and not on the contents of
individual files. On sites with configured PolicyKit rules this may allow
users to install malicious packages.

Bugs

<https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098>

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpackagekit< 1.1.9-1ubuntu2.18.04.6UNKNOWN
ubuntu20.04noarchpackagekit< 1.1.13-2ubuntu1.1UNKNOWN
ubuntu16.04noarchpackagekit< 0.8.17-4ubuntu6~gcc5.4ubuntu1.5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	packagekit	< 1.1.9-1ubuntu2.18.04.6	UNKNOWN
ubuntu	20.04	noarch	packagekit	< 1.1.13-2ubuntu1.1	UNKNOWN
ubuntu	16.04	noarch	packagekit	< 0.8.17-4ubuntu6~gcc5.4ubuntu1.5	UNKNOWN