| Vulnerability Name: | CVE-2021-3445 (CCN-203146) | ||||||||||||||||||||||||||||||||
| Assigned: | 2021-03-16 | ||||||||||||||||||||||||||||||||
| Published: | 2021-03-16 | ||||||||||||||||||||||||||||||||
| Updated: | 2022-02-24 | ||||||||||||||||||||||||||||||||
| Summary: | A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability. | ||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
5.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
5.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
| ||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-347 | ||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-3445 Source: CCN Type: Red Hat Bugzilla Bug 1932079 CVE-2021-3445 libdnf: libdnf does its own signature verification, but this can be tricked by placing a signature in the main header Source: MISC Type: Issue Tracking, Mitigation, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1932079 Source: XF Type: UNKNOWN libdnf-cve20213445-code-exec(203146) Source: CCN Type: libdnf GIT Repository libdnf Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-c6802f0b69 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-eadfc56b95 Source: CCN Type: IBM Security Bulletin 6541298 (Cloud Pak for Automation) Multiple security vulnerabilities fixed in Cloud Pak for Automation components Source: CCN Type: IBM Security Bulletin 6551876 (Cloud Pak for Security) Cloud Pak for Security uses packages that are vulnerable to multiple CVEs Source: CCN Type: IBM Security Bulletin 6560126 (Sterling Connect:Direct for UNIX Certified Container) IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 Source: CCN Type: IBM Security Bulletin 6574787 (QRadar SIEM) IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6856409 (Cloud Pak for Security) IBM Cloud Pak for Security includes components with multiple known vulnerabilities | ||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration RedHat 1: Configuration RedHat 2: Configuration RedHat 3: Configuration RedHat 4: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||