CVE-2017-2623Improper Certificate Validation in Rpm-ostree

CWE-295Improper Certificate Validation4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 50.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rpm-ostreeRpm-ostree Rpm-ostree-clientRedhat Enterprise Linux
Timeline
PublishedJul 27
Latest updateMay 13

Description

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

NVDrpm-ostree/rpm-ostree< 2017.3

Also affects: Enterprise Linux 7.0

🔴Vulnerability Details

1
GHSA
GHSA-v473-h83f-x76x: It was discovered that rpm-ostree and rpm-ostree-client before 20172022-05-13

📋Vendor Advisories

1
Red Hat
rpm-ostree-client: fails to check gpg package signatures when layering2017-03-02

💬Community

1
Bugzilla
CVE-2017-2623 rpm-ostree, rpm-ostree-client: fails to check gpg package signatures when layering2017-02-14