CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-20021
https://notcve.org/view.php?id=CVE-2016-20021
In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable. En Gentoo Portage anterior a 3.0.47, falta la validación PGP del código ejecutado: el emerge-webrsync independiente descarga un archivo .gpgsig pero no realiza la verificación de firma. • https://bugs.gentoo.org/597800 https://gitweb.gentoo.org/proj/portage.git/tree/NEWS https://wiki.gentoo.org/wiki/Portage • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-20384
https://notcve.org/view.php?id=CVE-2019-20384
Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners. Gentoo Portage versiones hasta 2.3.84, permite a usuarios locales colocar un complemento de tipo caballo de Troya en el directorio /usr/lib64/nagios/plugins al aprovechar el acceso a la cuenta de usuario nagios, porque este directorio es escribible entre una llamada a emake y una llamada a Fowners. • http://www.openwall.com/lists/oss-security/2020/01/21/1 https://bugs.gentoo.org/692492 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 1CVE-2013-2100
https://notcve.org/view.php?id=CVE-2013-2100
The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate. La función urlopen en pym/portage/util/_urlopen.py en Gentoo Portage 2.1.12, cuando utiliza HTTPS, no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y modificar listas de paquetes binarios a través de un certificado manipulado. • http://openwall.com/lists/oss-security/2013/05/15/5 http://openwall.com/lists/oss-security/2013/05/16/3 http://www.securityfocus.com/bid/59878 https://bugs.gentoo.org/show_bug.cgi?id=469888 https://exchange.xforce.ibmcloud.com/vulnerabilities/84315 https://security.gentoo.org/glsa/201507-16 • CWE-310: Cryptographic Issues •