Description
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202107-43
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1934125
Patch, Third Party Advisory
https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220805-0002/
Scores
CVSS v3
7.0
EPSS
0.0023
EPSS Percentile
45.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-345
Status
published
Products (8)
fedoraproject/fedora
32
fedoraproject/fedora
33
fedoraproject/fedora
34
redhat/enterprise_linux
8.0
rpm/rpm
4.15.0 alpha (3 CPE variants)
rpm/rpm
4.16.0 alpha (4 CPE variants)
rpm/rpm
4.15.0 - 4.15.1.3
starwindsoftware/starwind_virtual_san
v8 build14398
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026