CVE-2020-16122 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2020-16122

CVE-2020-16122

November 07, 2020

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Related Resources (3)

https://security-tracker.debian.org/tracker/CVE-2020-16122

https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098

https://people.canonical.com/~ubuntu-security/cve/CVE-2020-16122

Do you need more information?

CVSS v4

Base Score:

8.6

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

2.1

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Insufficient Verification of Data Authenticity

CWE-345

EPSS

Base Score:

0.08

Products

Solutions

Resources

Company

Compare

Developer Tools