CVE-2015-1337

medium

Published 2015-10-09 · Modified 2026-05-06

CVSS v3

—

CVSS v2

6.8

VIR risk

6.8

Description

Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

OS impact

OS	Version	Status	Fixed in
ubuntu	14.04	affected
ubuntu	15.04	affected

Application impact

Vendor	Product	Versions	Fixed
simpestreams_project	simplestreams	`-`

References

http://www.ubuntu.com/usn/USN-2746-1
http://www.ubuntu.com/usn/USN-2746-2
https://bugs.launchpad.net/ubuntu/%2Bsource/simplestreams/%2Bbug/1487004
http://www.ubuntu.com/usn/USN-2746-1
http://www.ubuntu.com/usn/USN-2746-2
https://bugs.launchpad.net/ubuntu/%2Bsource/simplestreams/%2Bbug/1487004

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.