FKIE_CVE-2012-0214

Vulnerability from fkie_nvd - Published: 2014-04-15 23:55 - Updated: 2026-05-06 22:30
Severity
Summary
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user from downloading the new InRelease file, which leaves the original InRelease file active and makes it more difficult to detect that the Packages file is modified and unsigned.
References
security@debian.orghttp://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=b7a6594d1e5ed199a7a472b78b33e070375d6f92
security@debian.orghttp://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=de498a528cd6fc36c4bb22bf8dec6558e21cc9b6
security@debian.orghttp://www.ubuntu.com/usn/USN-1385-1
af854a3a-2127-422b-91ae-364da2661108http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=b7a6594d1e5ed199a7a472b78b33e070375d6f92
af854a3a-2127-422b-91ae-364da2661108http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=de498a528cd6fc36c4bb22bf8dec6558e21cc9b6
af854a3a-2127-422b-91ae-364da2661108http://www.ubuntu.com/usn/USN-1385-1
Impacted products
Vendor Product Version
advanced_package_tool advanced_package_tool *
advanced_package_tool advanced_package_tool 0.8.11
advanced_package_tool advanced_package_tool 0.8.12
advanced_package_tool advanced_package_tool 0.8.13
advanced_package_tool advanced_package_tool 0.8.14
advanced_package_tool advanced_package_tool 0.8.15
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0976AA44-B36F-4023-966F-206946FC3823",
              "versionEndIncluding": "0.8.16\\~exp12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:0.8.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "717AAEBC-858E-447A-8BDD-90C6E5F384D6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:0.8.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "03FCE192-4EAF-4A63-B6F7-E9409384C7DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:0.8.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A881068-FFCF-4AA1-90D6-84B64E721D4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:0.8.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "E46DE4C7-33E9-4828-8F86-51BFA0677C9B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:advanced_package_tool:advanced_package_tool:0.8.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB46FF4B-BCB4-47C1-ACAE-ED986AE8FB2A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user from downloading the new InRelease file, which leaves the original InRelease file active and makes it more difficult to detect that the Packages file is modified and unsigned."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo pkgAcqMetaClearSig::Failed en apt-pkg/acquire-item.cc en Advanced Package Tool (APT) 0.8.11 hasta 0.8.15.10 y 0.8.16 anterior a 0.8.16~exp13, cuando actualizando desde repositorios que utilizan ficheros lnRelease, permite a atacantes man-in-the-middle instalar paquetes arbitrarios previniendo al usuario de descargar el nuevo fichero InRelease, el cual deja el fichero InRelease original activo y hace m\u00e1s dif\u00edcil detectar que el fichero Packages est\u00e1 modificado y no firmado."
    }
  ],
  "id": "CVE-2012-0214",
  "lastModified": "2026-05-06T22:30:45.220",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-04-15T23:55:08.313",
  "references": [
    {
      "source": "security@debian.org",
      "url": "http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=b7a6594d1e5ed199a7a472b78b33e070375d6f92"
    },
    {
      "source": "security@debian.org",
      "url": "http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=de498a528cd6fc36c4bb22bf8dec6558e21cc9b6"
    },
    {
      "source": "security@debian.org",
      "url": "http://www.ubuntu.com/usn/USN-1385-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=b7a6594d1e5ed199a7a472b78b33e070375d6f92"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://anonscm.debian.org/gitweb/?p=apt/apt.git%3Ba=commitdiff%3Bh=de498a528cd6fc36c4bb22bf8dec6558e21cc9b6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1385-1"
    }
  ],
  "sourceIdentifier": "security@debian.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.