CVE Vulnerabilities

CVE-2021-20271

Insufficient Verification of Data Authenticity

Published: Mar 26, 2021 | Modified: Feb 12, 2023
CVSS 3.x
7
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
5.1 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

A flaw was found in RPMs signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Software

Name Vendor Start Version End Version
Rpm Rpm 4.15.0 (including) 4.15.1.3 (excluding)
Rpm Rpm 4.16.0 (including) 4.16.1.3 (excluding)
Rpm Rpm 4.15.0-alpha (including) 4.15.0-alpha (including)
Rpm Rpm 4.15.0-beta1 (including) 4.15.0-beta1 (including)
Rpm Rpm 4.15.0-rc1 (including) 4.15.0-rc1 (including)
Rpm Rpm 4.16.0-alpha (including) 4.16.0-alpha (including)
Rpm Rpm 4.16.0-beta2 (including) 4.16.0-beta2 (including)
Rpm Rpm 4.16.0-beta3 (including) 4.16.0-beta3 (including)
Rpm Rpm 4.16.0-rc1 (including) 4.16.0-rc1 (including)

References