Description
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2746-2
Exploit x_refsource_confirm
https://bugs.launchpad.net/ubuntu/%2Bsource/simplestreams/%2Bbug/1487004
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2746-1
Scores
EPSS
0.0171
EPSS Percentile
74.6%
Details
CWE
CWE-20
Status
published
Products (3)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
15.04
simpestreams_project/simplestreams
Published
Oct 09, 2015
Tracked Since
Feb 18, 2026