CVE-2016-20021

CWE-3475 documents4 sources

Severity

9.8CRITICAL

EPSS

0.0%

top 88.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gentoo Portage

Timeline

PublishedJan 12

Description

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDgentoo/portage< 3.0.47

▶PyPIportage< 3.0.47

Patches

Patch: bugs.gentoo.org ↗Patch: bugs.gentoo.org ↗

🔴Vulnerability Details

CVEList

CVE-2016-20021: In Gentoo Portage before 3↗2024-01-12

▶

GHSA

Gentoo Portage missing PGP validation of executed code↗2024-01-12

▶

OSV

Gentoo Portage missing PGP validation of executed code↗2024-01-12

▶

OSV

CVE-2016-20021: In Gentoo Portage before 3↗2024-01-12

▶