CVE-2015-3408

Published: May 19, 2015Modified: May 6, 2026

10.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability: 10.0 / Impact: 10.0

Source: NVD

Description

Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest.

Affected (5)

Products: Module Signature Project: Module Signature · Canonical: Ubuntu Linux

Module Signature Project

1 product

Module Signature

Canonical

1 product

Ubuntu Linux

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Module Signature Project Module Signature	Up to 0.73

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 14.10
Canonical Ubuntu Linux	Version 15.04

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (12)

http://ubuntu.com/usn/usn-2607-1

Source: cve@mitre.org

http://www.debian.org/security/2015/dsa-3261

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2015/04/07/1

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2015/04/23/17

Source: cve@mitre.org

https://github.com/audreyt/module-signature/commit/8a9164596fa5952d4fbcde5aa1c7d1c7bc85372f

Source: cve@mitre.org

https://metacpan.org/changes/distribution/Module-Signature

Source: cve@mitre.org

http://ubuntu.com/usn/usn-2607-1