CVE-2016-1587
Published on: 04/22/2019 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:04 PM UTC
Certain versions of Snapweb from Snapweb contain the following vulnerability:
The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a valid, but malicious, snap package, from the Store, potentially using system resources without permission from the legitimate administrator of the system.
- CVE-2016-1587 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity. - Affected Vendor/Software: Ubuntu - snapweb version 0.21.2
CVSS3 Score: 7.5 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
|---|---|---|---|---|
| NETWORK | LOW | NONE | NONE | |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
| UNCHANGED | NONE | NONE | HIGH |
CVSS2 Score: 5 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | LOW | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| NONE | NONE | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Merge pull request #84 from dbarth/token · snapcore/[email protected] · GitHub | Patch Third Party Advisory github.com text/html |
MISC github.com/snapcore/snapweb/commit/3f4cf9403f7687fbc8e27c0e01b2cf6aa5e7e0d5 |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Snapweb | Snapweb | All | All | All | All |
| Application | Snapweb | Snapweb | All | All | All | All |
- cpe:2.3:a:snapweb:snapweb:*:*:*:*:*:*:*:*:
- cpe:2.3:a:snapweb:snapweb:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE