Vulnerability CVE-2007-4739


Published: 2007-09-06   Modified: 2012-02-12

Description:
reprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command.

Type:

CWE-264

(Permissions, Privileges, and Access Controls)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None
Affected software
Debian -> Reprepro 

 References:
http://secunia.com/advisories/26678
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440535
http://alioth.debian.org/frs/shownotes.php?release_id=1031
http://osvdb.org/40172
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=interdiff;att=1;bug=440535
http://www.securityfocus.com/bid/25537
http://www.debian.org/security/2007/dsa-1394
http://secunia.com/advisories/27334

Copyright 2020, cxsecurity.com

 

Back to Top