CVE-2018-0501
MEDIUMCanonical Ubuntu Linux < 1.6.4 - Signature Verification Bypass
Title source: ruleDescription
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.
References (4)
Core 4
Core References
Third Party Advisory, URL Repurposed x_refsource_misc
https://mirror.fail
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3746-1/
Patch, Third Party Advisory x_refsource_misc
https://salsa.debian.org/apt-team/apt/commit/aebd4278bacc728ab00ebe31556983e140f60e47
Patch, Third Party Advisory x_refsource_misc
https://salsa.debian.org/apt-team/apt/commit/29658a3a74af49e2a24e17bdebb20e1612aac3ec
Scores
CVSS v3
5.9
EPSS
0.0013
EPSS Percentile
32.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-347
Status
published
Products (3)
canonical/ubuntu_linux
18.04
debian/advanced_package_tool
1.7.0 alpha (3 CPE variants)
debian/advanced_package_tool
1.6.0 - 1.6.4
Published
Aug 21, 2018
Tracked Since
Feb 18, 2026