6.7

CVE-2021-35939

Exploit
It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RpmRpm Version < 4.18
RedhatEnterprise Linux Version8.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.48% 0.376
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.7 0.8 5.9
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://security.gentoo.org/glsa/202210-22
Third Party Advisory
https://rpm.org/wiki/Releases/4.18.0
Vendor Advisory
Release Notes
https://github.com/rpm-software-management/rpm/pull/1919
Patch
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-35939
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1964129
Third Party Advisory
Exploit
Issue Tracking
https://github.com/rpm-software-management/rpm/commit/96ec957e281220f8e137a2d5eb23b83a6377d556
Patch
Third Party Advisory