Vulnerability Details : CVE-2014-0022
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.
Vulnerability category: Input validation
Products affected by CVE-2014-0022
- cpe:2.3:a:baseurl:yum:*:*:*:*:*:*:*:*
- cpe:2.3:a:baseurl:yum:3.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:baseurl:yum:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:baseurl:yum:3.4.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-0022
0.60%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0022
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-0022
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0022
-
http://yum.baseurl.org/gitweb?p=yum.git%3Ba=commitdiff%3Bh=9df69e5794
yum.baseurl.org git repositories
-
https://bugzilla.redhat.com/show_bug.cgi?id=1052440
1052440 – CVE-2014-0022 yum: yum-cron installs unsigned packages [fedora-all]
-
http://www.securityfocus.com/bid/65119
Yum 'yum-cron/yum-cron.py' Security Bypass Vulnerability
-
https://bugzilla.redhat.com/show_bug.cgi?id=1057377
1057377 – (CVE-2014-0022) CVE-2014-0022 yum: yum-cron installs unsigned packages
Jump to