CVE-2017-2623

EPSS 0.28%
Published 27.07.2018 18:29:00
Last modified 21.11.2024 03:23:51
Source secalert@redhat.com
Teams watchlist Login
Open Login

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Rpm-ostree ≫ Rpm-ostree Version < 2017.3

Rpm-ostree ≫ Rpm-ostree-client Version < 2017.3

Redhat ≫ Enterprise Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.507

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
secalert@redhat.com	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.securityfocus.com/bid/96558

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2017:0444

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-2623

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-2623

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-2623

EUVD