CVE-2021-20271
rpm: Signature checks bypass via corrupted rpm package
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
Se detectó un fallo en la funcionalidad de comprobación de firmas de RPM cuando se lee un archivo de paquete. Este fallo permite a un atacante que pueda convencer a una víctima de instalar un paquete aparentemente verificable, cuyo encabezado de firma fue modificado, causar una corrupción de la base de datos de RPM y ejecutar código. La mayor amenaza de esta vulnerabilidad es la integridad de los datos, la confidencialidad y la disponibilidad del sistema.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-17 CVE Reserved
- 2021-03-26 CVE Published
- 2023-12-10 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-345: Insufficient Verification of Data Authenticity
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://www.starwindsoftware.com/security/sw-20220805-0002 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1934125 | 2021-12-07 | |
https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 | 2023-02-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | >= 4.15.0 < 4.15.1.3 Search vendor "Rpm" for product "Rpm" and version " >= 4.15.0 < 4.15.1.3" | - |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | >= 4.16.0 < 4.16.1.3 Search vendor "Rpm" for product "Rpm" and version " >= 4.16.0 < 4.16.1.3" | - |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.15.0 Search vendor "Rpm" for product "Rpm" and version "4.15.0" | alpha |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.15.0 Search vendor "Rpm" for product "Rpm" and version "4.15.0" | beta1 |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.15.0 Search vendor "Rpm" for product "Rpm" and version "4.15.0" | rc1 |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.16.0 Search vendor "Rpm" for product "Rpm" and version "4.16.0" | alpha |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.16.0 Search vendor "Rpm" for product "Rpm" and version "4.16.0" | beta2 |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.16.0 Search vendor "Rpm" for product "Rpm" and version "4.16.0" | beta3 |
Affected
| ||||||
Rpm Search vendor "Rpm" | Rpm Search vendor "Rpm" for product "Rpm" | 4.16.0 Search vendor "Rpm" for product "Rpm" and version "4.16.0" | rc1 |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
Starwindsoftware Search vendor "Starwindsoftware" | Starwind Virtual San Search vendor "Starwindsoftware" for product "Starwind Virtual San" | v8 Search vendor "Starwindsoftware" for product "Starwind Virtual San" and version "v8" | build14398 |
Affected
|