4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15796

GHSA ID

GHSA-pj65-3pf6-c5q4

EPSS Score

0.33874%

CWE

CWE-347

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15796

CVE-2019-15796: python-apt Does Not Check Hash Signature

Python-apt doesn't check if hashes are signed in Version.fetch_binary() and Version.fetch_source() of apt/package.py or in _fetch_archives() of apt/cache.py in version 1.9.3ubuntu2 and earlier. This allows downloads from unsigned repositories which shouldn't be allowed and has been fixed in verisions 1.9.5, 1.9.0ubuntu1.2, 1.6.5ubuntu0.1, 1.1.0~beta1ubuntu0.16.04.7, 0.9.3.5ubuntu3+esm2, and 0.8.3ubuntu7.5.

(GitHub Advisory)

4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15796

GHSA ID

GHSA-pj65-3pf6-c5q4

EPSS Score

0.33874%

CWE

CWE-347

Published

5/24/2022

Updated

9/26/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
python-apt	pip	< 0.8.3ubuntu7.5	0.8.3ubuntu7.5
python-apt	pip	>= 0.9.0, < 0.9.3.5ubuntu3	0.9.3.5ubuntu3
python-apt	pip	>= 1.2.0, < 1.6.5ubuntu0.1	1.6.5ubuntu0.1
python-apt	pip	>= 1.7.0, < 1.9.0ubuntu1.2	1.9.0ubuntu1.2
python-apt	pip	>= 1.9.1, < 1.9.5	1.9.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names Version.fetch_binary(), Version.fetch_source() in apt/package.py and _fetch_archives() in apt/cache.py as functions that lacked hash signature verification. Multiple authoritative sources (CVE, GHSA, Ubuntu security notices) confirm these entry points failed to enforce cryptographic signature checks, which is directly tied to CWE-347. The functions' roles in package fetching operations make them logical points for this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pyt*on-*pt *o*sn't ****k i* **s**s *r* si*n** in `V*rsion.**t**_*in*ry()` *n* `V*rsion.**t**_sour**()` o* *pt/p**k***.py or in `_**t**_*r**iv*s()` o* *pt/*****.py in v*rsion *.*.*u*untu* *n* **rli*r. T*is *llows *ownlo**s *rom unsi*n** r*positori*s w

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s V*rsion.**t**_*in*ry(), V*rsion.**t**_sour**() in *pt/p**k***.py *n* _**t**_*r**iv*s() in *pt/*****.py *s *un*tions t**t l**k** **s* si*n*tur* v*ri*i**tion. Multipl* *ut*orit*tiv* sour**s (*V*, **S*, U*u

4.7

Basic Information

Concerned about an active attack path?

CVE-2019-15796: python-apt Does Not Check Hash Signature

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI