CVE-2021-20271

CWE-3459 documents8 sources
Severity
7.0HIGH
EPSS
0.2%
top 54.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
RPM RPMFedoraproject FedoraRedhat Enterprise Linux+1 more
Timeline
PublishedMar 26
Latest updateJul 21

Description

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages5 packages

NVDrpm/rpm4.15.04.15.1.3+3
Debianrpm< 4.16.1.2+dfsg1-1+3
Ubunturpm< 4.12.0.1+dfsg1-3ubuntu0.1~esm1+2
CVEListV5rpmall versions

Also affects: Fedora 32, 33, 34, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.comPatch: github.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
OSV
rpm vulnerabilities2022-07-21
GHSA
GHSA-77pm-gxx7-5c5f: A flaw was found in RPM's signature check functionality when reading a package file2022-05-24
CVEList
CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file2021-03-26
OSV
CVE-2021-20271: A flaw was found in RPM's signature check functionality when reading a package file2021-03-26

📋Vendor Advisories

4
Ubuntu
RPM Package Manager vulnerabilities2022-07-21
Red Hat
rpm: Signature checks bypass via corrupted rpm package2021-03-11
Microsoft
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package whose signature he2021-03-09
Debian
CVE-2021-20271: rpm - A flaw was found in RPM's signature check functionality when reading a package f...2021
CVE-2021-20271 (HIGH CVSS 7) | A flaw was found in RPM's signature | cvebase.io