4.7

CVE-2021-3521

EPSS 0.02%
Published 22.08.2022 15:15:13
Last modified 21.11.2024 06:21:45
Source secalert@redhat.com
Teams watchlist Login
Open Login

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.

Affected products Warnungen 0 Metrics 2 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Rpm ≫ Rpm Version < 4.17.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.025

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.7	1	3.6	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://access.redhat.com/security/cve/CVE-2021-3521

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1941098

Patch

Third Party Advisory

Issue Tracking

https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8

Patch

Third Party Advisory

https://github.com/rpm-software-management/rpm/pull/1795/

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202210-22

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-3521

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-3521

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-3521

EUVD