{"containers":{"cna":{"affected":[{"product":"Python-apt","vendor":"Canonical","versions":[{"lessThan":"0.8.3ubuntu7.5","status":"affected","version":"0.8.3","versionType":"custom"},{"lessThan":"0.9.3.5ubuntu3+esm2","status":"affected","version":"0.9.3.5","versionType":"custom"},{"lessThan":"1.1.0~beta1ubuntu0.16.04.7","status":"affected","version":"1.1.0","versionType":"custom"},{"lessThan":"1.6.5ubuntu0.1","status":"affected","version":"1.6.5","versionType":"custom"},{"lessThan":"1.9.0ubuntu1.2","status":"affected","version":"1.9.0","versionType":"custom"}]}],"credits":[{"lang":"en","value":"Julian Andres Klode"}],"datePublic":"2019-08-06T00:00:00.000Z","descriptions":[{"lang":"en","value":"python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-327","description":"CWE-327 Use of a Broken or Risky Cryptographic Algorithm","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2020-03-26T13:00:21.000Z","orgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","shortName":"canonical"},"references":[{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4247-1/"},{"tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4247-3/"}],"source":{"advisory":"https://usn.ubuntu.com/usn/usn-4247-1","defect":["https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"],"discovery":"UNKNOWN"},"title":"python-apt uses MD5 for validation","x_generator":{"engine":"Vulnogram 0.0.9"},"x_legacyV4Record":{"CVE_data_meta":{"AKA":"","ASSIGNER":"security@ubuntu.com","DATE_PUBLIC":"2019-08-06T16:33:00.000Z","ID":"CVE-2019-15795","STATE":"PUBLIC","TITLE":"python-apt uses MD5 for validation"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Python-apt","version":{"version_data":[{"platform":"","version_affected":"<","version_name":"0.8.3","version_value":"0.8.3ubuntu7.5"},{"platform":"","version_affected":"<","version_name":"0.9.3.5","version_value":"0.9.3.5ubuntu3+esm2"},{"platform":"","version_affected":"<","version_name":"1.1.0","version_value":"1.1.0~beta1ubuntu0.16.04.7"},{"platform":"","version_affected":"<","version_name":"1.6.5","version_value":"1.6.5ubuntu0.1"},{"platform":"","version_affected":"<","version_name":"1.9.0","version_value":"1.9.0ubuntu1.2"}]}}]},"vendor_name":"Canonical"}]}},"configuration":[],"credit":[{"lang":"eng","value":"Julian Andres Klode"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"python-apt only checks the MD5 sums of downloaded files in `Version.fetch_binary()` and `Version.fetch_source()` of apt/package.py in version 1.9.0ubuntu1 and earlier. This allows a man-in-the-middle attack which could potentially be used to install altered packages and has been fixed in versions 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5."}]},"exploit":[],"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-327 Use of a Broken or Risky Cryptographic Algorithm"}]}]},"references":{"reference_data":[{"name":"","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4247-1/"},{"name":"","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4247-3/"}]},"solution":[],"source":{"advisory":"https://usn.ubuntu.com/usn/usn-4247-1","defect":["https://bugs.launchpad.net/ubuntu/%2Bsource/python-apt/%2Bbug/1858972"],"discovery":"UNKNOWN"},"work_around":[]}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T00:56:22.746Z"},"title":"CVE Program Container","references":[{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4247-1/"},{"tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4247-3/"}]}]},"cveMetadata":{"assignerOrgId":"cc1ad9ee-3454-478d-9317-d3e869d708bc","assignerShortName":"canonical","cveId":"CVE-2019-15795","datePublished":"2020-03-26T13:00:21.299Z","dateReserved":"2019-08-29T00:00:00.000Z","dateUpdated":"2024-09-16T19:45:50.191Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}