CVE-2021-3445

A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
rpmlibdnf
𝑥
< 0.60.1
redhatenterprise_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libdnf
bookworm
0.69.0-2
fixed
bullseye
0.55.2-6
fixed
sid
0.73.3-1
fixed
trixie
0.73.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libdnf
bionic
dne
focal
dne
groovy
dne
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
ignored
mantic
ignored
noble
needed
trusty
dne
xenial
dne
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
dnf
RHEL 8
0:4.7.0-4.el8
fixed
dnf-automatic
RHEL 8
0:4.7.0-4.el8
fixed
dnf-data
RHEL 8
0:4.7.0-4.el8
fixed
dnf-plugins-core
RHEL 8
0:4.0.21-3.el8
fixed
libdnf
RHEL 8
0:0.63.0-3.el8
fixed
libdnf-devel
RHEL 8
0:0.63.0-3.el8
fixed
python3-dnf
RHEL 8
0:4.7.0-4.el8
fixed
python3-dnf-plugin-post-transaction-actions
RHEL 8
0:4.0.21-3.el8
fixed
python3-dnf-plugin-versionlock
RHEL 8
0:4.0.21-3.el8
fixed
python3-dnf-plugins-core
RHEL 8
0:4.0.21-3.el8
fixed
python3-hawkey
RHEL 8
0:0.63.0-3.el8
fixed
python3-libdnf
RHEL 8
0:0.63.0-3.el8
fixed
yum
RHEL 8
0:4.7.0-4.el8
fixed
yum-utils
RHEL 8
0:4.0.21-3.el8
fixed
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1932079
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/
https://bugzilla.redhat.com/show_bug.cgi?id=1932079
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/