| Vulnerability Name: | CVE-2017-2623 (CCN-124723) | ||||||||||||
| Assigned: | 2016-12-01 | ||||||||||||
| Published: | 2017-03-02 | ||||||||||||
| Updated: | 2019-10-09 | ||||||||||||
| Summary: | It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. | ||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-295 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2017-2623 Source: BID Type: Third Party Advisory, VDB Entry 96558 Source: CCN Type: BID-96558 Project Atomic rpm-ostree CVE-2017-2623 Security Bypass Vulnerability Source: REDHAT Type: Third Party Advisory RHSA-2017:0444 Source: CCN Type: Red Hat Bugzilla Bug 1422157 (CVE-2017-2623) CVE-2017-2623 rpm-ostree and rpm-ostree-client fail to check gpg package signatures when layering [NEEDINFO] Source: CONFIRM Type: Issue Tracking, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623 Source: XF Type: UNKNOWN rpm-ostree-cve20172623-sec-bypass(124723) Source: CCN Type: rpm-ostree Web site rpm-ostree Source: CCN Type: WhiteSource Vulnerability Database CVE-2017-2623 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||