The pc-kernel snap build process hardcoded the --allow-insecure-repositories and --allow-unauthenticated apt options when creating the…
canonical·CWE-353·Published 2020-04-14
The pc-kernel snap build process hardcoded the --allow-insecure-repositories and --allow-unauthenticated apt options when creating the build chroot environment. This could allow an attacker who is able to perform a MITM attack between the build environment and the Ubuntu archive to install a malicious package within the build chroot. This issue affects pc-kernel versions prior to and including 2019-07-16
The pc-kernel snap build process hardcoded the --allow-insecure-repositories and --allow-unauthenticated apt options when creating the build chroot environment. This could allow an attacker who is able to perform a MITM attack between the build environment and the Ubuntu archive to install a malicious package within the build chroot. This issue affects pc-kernel versions prior to and including 2019-07-16
El proceso de compilación instantánea de pc-kernel embebió las opciones apt --allow-insecure-repositories y --allow-unauthenticated cuando se crea el entorno chroot de compilación. Esto podría permitir a un atacante, que sea capaz de realizar un ataque de tipo MITM entre el entorno de compilación y el archivo de Ubuntu, instalar un paquete malicioso dentro del chroot de compilación. Este problema afecta al pc-kernel versiones anteriores e incluyendo a la 2019-07-16.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.8 | 8.6 | 6.4 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| 3.1 | Primary | cve.org | 8.4 | — | — | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.4 | — | — | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| 3.1 | Primary | NVD | 8.1 | 2.2 | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 8.4 | 1.7 | 6.0 | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |