python-apt Does Not Check Hash Signature

Description

Python-apt doesn't check if hashes are signed in Version.fetch_binary() and Version.fetch_source() of apt/package.py or in _fetch_archives() of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2022-05-24 17:12:47 UTC
Updated
2023-09-26 21:25:12 UTC
GitHub reviewed
2023-07-18 22:36:38 UTC
NVD published
2020-03-26

EPSS Score

Score Percentile
0.17% 39.19%

CVSS Scores

Base score Version Severity Vector
4.7 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-347 Improper Verification of Cryptographic Signature

Affected packages (5)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip python-apt < 0.8.3ubuntu7.5 0.8.3ubuntu7.5
pip python-apt >= 0.9.0, < 0.9.3.5ubuntu3 0.9.3.5ubuntu3
pip python-apt >= 1.2.0, < 1.6.5ubuntu0.1 1.6.5ubuntu0.1
pip python-apt >= 1.7.0, < 1.9.0ubuntu1.2 1.9.0ubuntu1.2
pip python-apt >= 1.9.1, < 1.9.5 1.9.5

References

cvelogic Threat Intelligence