Main Vulnerability Database Vulnerabilities #VU59993

#VU59993 Improper Verification of Cryptographic Signature in rpm - CVE-2021-3521

Published: January 25, 2022 / Updated: August 2, 2023

Vulnerability identifier: #VU59993

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-3521

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
rpm

Software vendor:
rpm-software-management

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an error in RPM's signature functionality, as RPM does not check the binding signature of subkeys before importing them. A remote attacker with ability to add malicious subkey to a legitimate public key can run malicious code on the system.

Remediation

Install update from vendor's website.

External links

https://github.com/rpm-software-management/rpm/pull/1788
https://bugzilla.redhat.com/show_bug.cgi?id=1941098

#VU59993 Improper Verification of Cryptographic Signature in rpm - CVE-2021-3521

Description

Remediation

External links

Please verify you're human