CVE-2020-3810 - OpenCVE

Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Debian	Debian Linux Apt
Canonical	Ubuntu Linux
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:debian:apt::::::::
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::

References

Link	Resource
https://bugs.launchpad.net/bugs/1878177	Issue Tracking Third Party Advisory
https://github.com/Debian/apt/issues/111	Exploit Third Party Advisory
https://lists.debian.org/debian-security-announce/2020/msg00089.html	Mailing List Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/
https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6	Patch Vendor Advisory
https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/	Release Notes Vendor Advisory
https://usn.ubuntu.com/4359-1/	Third Party Advisory
https://usn.ubuntu.com/4359-2/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2020-05-14T00:00:00

Updated: 2020-07-19T02:06:08

Reserved: 2019-12-17T00:00:00

Link: CVE-2020-3810

JSON object: View

NVD Information

Status : Modified

Published: 2020-05-15T14:15:11.887

Modified: 2023-11-07T03:23:04.667

Link: CVE-2020-3810

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "apt", "vendor": "Debian", "versions": [{"status": "affected", "version": "before 2.1.2"}]}], "datePublic": "2020-05-14T00:00:00", "descriptions": [{"lang": "en", "value": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files."}], "problemTypes": [{"descriptions": [{"description": "apt out-of-bounds read in .ar/.tar implemations", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-19T02:06:08", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Debian/apt/issues/111"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/bugs/1878177"}, {"tags": ["x_refsource_MISC"], "url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"}, {"tags": ["x_refsource_MISC"], "url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"}, {"tags": ["x_refsource_MISC"], "url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"}, {"name": "USN-4359-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4359-1/"}, {"name": "USN-4359-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4359-2/"}, {"name": "FEDORA-2020-f03cfe3df5", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"}], "source": {"advisory": "https://www.debian.org/security/2020/dsa-4685", "discovery": "EXTERNAL"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "DATE_PUBLIC": "2020-05-14T00:00:00.000Z", "ID": "CVE-2020-3810", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "apt", "version": {"version_data": [{"version_value": "before 2.1.2"}]}}]}, "vendor_name": "Debian"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "apt out-of-bounds read in .ar/.tar implemations"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Debian/apt/issues/111", "refsource": "MISC", "url": "https://github.com/Debian/apt/issues/111"}, {"name": "https://bugs.launchpad.net/bugs/1878177", "refsource": "MISC", "url": "https://bugs.launchpad.net/bugs/1878177"}, {"name": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6", "refsource": "MISC", "url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"}, {"name": "https://lists.debian.org/debian-security-announce/2020/msg00089.html", "refsource": "MISC", "url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"}, {"name": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/", "refsource": "MISC", "url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"}, {"name": "USN-4359-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4359-1/"}, {"name": "USN-4359-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4359-2/"}, {"name": "FEDORA-2020-f03cfe3df5", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"}]}, "source": {"advisory": "https://www.debian.org/security/2020/dsa-4685", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2020-3810", "datePublished": "2020-05-14T00:00:00", "dateReserved": "2019-12-17T00:00:00", "dateUpdated": "2020-07-19T02:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:debian:apt:*:*:*:*:*:*:*:*", "matchCriteriaId": "56E3943E-AA71-4AA6-BA3E-6C153E4572B9", "versionEndExcluding": "2.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Missing input validation in the ar/tar implementations of APT before version 2.1.2 could result in denial of service when processing specially crafted deb files."}, {"lang": "es", "value": "Una falta de comprobaci\u00f3n de entrada en las implementaciones de ar/tar de APT versiones anteriores a 2.1.2, podr\u00eda resultar en una denegaci\u00f3n de servicio al procesar archivos deb especialmente dise\u00f1ados"}], "id": "CVE-2020-3810", "lastModified": "2023-11-07T03:23:04.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-15T14:15:11.887", "references": [{"source": "security@debian.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/bugs/1878177"}, {"source": "security@debian.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Debian/apt/issues/111"}, {"source": "security@debian.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.debian.org/debian-security-announce/2020/msg00089.html"}, {"source": "security@debian.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U4PEH357MZM2SUGKETMEHMSGQS652QHH/"}, {"source": "security@debian.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://salsa.debian.org/apt-team/apt/-/commit/dceb1e49e4b8e4dadaf056be34088b415939cda6"}, {"source": "security@debian.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://tracker.debian.org/news/1144109/accepted-apt-212-source-into-unstable/"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4359-1/"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4359-2/"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}