CVE-2021-3445Improper Verification of Cryptographic Signature in Libdnf

CWE-347Improper Verification of Cryptographic SignatureCWE-787Out-of-bounds Write8 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 88.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
RPM LibdnfDebian LibdnfFedoraproject Fedora+2 more
Timeline
PublishedMay 19
Latest updateFeb 15

Description

A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages5 packages

NVDrpm/libdnf< 0.60.1
debiandebian/libdnf< libdnf 0.55.2-6 (bookworm)
Debianrpm/libdnf< 0.55.2-6+3
CVEListV5rpm/libdnflibdnf 0.60.1

Also affects: Fedora 33, 34, Enterprise Linux 8.0

🔴Vulnerability Details

2
GHSA
GHSA-jrcf-96j2-jpvh: A flaw was found in libdnf's signature verification functionality in versions before 02022-05-24
OSV
CVE-2021-3445: A flaw was found in libdnf's signature verification functionality in versions before 02021-05-19

📋Vendor Advisories

5
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
Red Hat
libsolv: Heap overflow2022-02-21
Microsoft
A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM p2021-05-11
Red Hat
libdnf: Signature verification bypass via signature placed in the main RPM header2021-03-16
Debian
CVE-2021-3445: libdnf - A flaw was found in libdnf's signature verification functionality in versions be...2021
CVE-2021-3445 — RPM Libdnf vulnerability | cvebase