CVE-2017-2623

EPSS 0.28%
Veröffentlicht 27.07.2018 18:29:00
Zuletzt bearbeitet 21.11.2024 03:23:51
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rpm-ostree ≫ Rpm-ostree Version < 2017.3

Rpm-ostree ≫ Rpm-ostree-client Version < 2017.3

Redhat ≫ Enterprise Linux Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.507

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N
secalert@redhat.com	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

http://www.securityfocus.com/bid/96558

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2017:0444

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2017-2623

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-2623

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-2623

EUVD