PT-2022-7386 · Rpm+8 · Rpm+8

Demi M. Obenour

Published

2021-08-15

Updated

2024-06-15

CVE-2021-3521

CVSS v3.1

4.7

Medium

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions RPM (affected versions not specified)

Description The issue is related to a flaw in RPM's signature functionality, where OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. This could allow an attacker to add a malicious subkey to a legitimate public key, causing RPM to wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALSA-2022:0368

ALT-PU-2021-2518

ALT-PU-2021-2600

AZL-10637

BDU:2024-04926

CESA-2022_0368

CVE-2021-3521

MGASA-2022-0321

OESA-2021-1431

OPENSUSE-SU-2024:12245-1

OPENSUSE-SU-2024_1557-1

OPENSUSE-SU-2024_1557-2

RHSA-2022:0254

RHSA-2022:0368

RHSA-2022:0634

RHSA-2022_0368

RLSA-2022:0368

SUSE-SU-2024:1557-1

SUSE-SU-2024:1557-2

SUSE-SU-2024:1557-3

SUSE-SU-2024_1557-1

SUSE-SU-2024_1557-2

Affected Products

Alt Linux

Almalinux

Centos

Debian

Rpm

Red Hat

Red Os

Rocky Linux

Suse

PT-2022-7386 · Rpm+8 · Rpm+8

CVE-2021-3521

Weakness Enumeration

Related Identifiers

Affected Products

References · 40