There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.
Published 2022-08-22 15:15:13
Updated 2023-02-12 23:41:16
Source Red Hat, Inc.
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-3521

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 29 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-3521

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
4.7
MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
1.0
3.6
NIST

CWE ids for CVE-2021-3521

References for CVE-2021-3521

Products affected by CVE-2021-3521

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!