CVE-2019-11480

moderate-risk
Published 2020-04-14

The pc-kernel snap build process hardcoded the --allow-insecure-repositories and --allow-unauthenticated apt options when creating the build chroot environment. This could allow an attacker who is able to perform a MITM attack between the build environment and the Ubuntu archive to install a malicious package within the build chroot. This issue affects pc-kernel versions prior to and including 2019-07-16

Do I need to act?

-
0.43% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.4/10 High
ADJACENT_NETWORK / LOW complexity

Affected Products (1)

C-Kernel

Affected Vendors

Canonical

References (4)

Exploit https://bugs.launchpad.net/bugs/1836041
Third Party Advisory https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11480
Exploit https://bugs.launchpad.net/bugs/1836041
Third Party Advisory https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11480
33
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 5/34 · Minimal