CVE-2013-6435 — Injection in RPM

CWE-74 — Injection CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition9 documents7 sources

Severity

7.6HIGHNVD

EPSS

5.1%

top 10.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RPM Debian RPM Debian Linux

Timeline

PublishedDec 16

Latest updateMay 14

Description

Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 4.9 | Impact: 10.0

Affected Packages4 packages

▶debiandebian/rpm< rpm 4.11.3-1.1 (bookworm)

▶Debianrpm/rpm< 4.11.3-1.1+3

▶Ubunturpm/rpm< 4.11.1-3ubuntu0.1

▶NVDrpm/rpm4.11.1+101

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-qww5-w98g-66q7: Race condition in RPM 4↗2022-05-14

▶

OSV

rpm vulnerabilities↗2015-01-19

▶

OSV

CVE-2013-6435: Race condition in RPM 4↗2014-12-16

▶

📋Vendor Advisories

Ubuntu

RPM vulnerabilities↗2015-01-19

▶

Red Hat

rpm: race condition during the installation process↗2014-12-09

▶

Debian

CVE-2013-6435: rpm - Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbi...↗2013

▶

💬Community

Bugzilla

CVE-2014-8118 CVE-2013-6435 rpm: various flaws [fedora-all]↗2014-12-09

▶

Bugzilla

CVE-2013-6435 rpm: race condition during the installation process↗2013-12-10

▶