Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-3521

Date: August 22, 2022

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.

Severity Score

Related Resources (13)

https://bugzilla.redhat.com/show_bug.cgi?id=1941098
https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3521
https://security.alpinelinux.org/vuln/CVE-2021-3521
https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8
https://access.redhat.com/errata/RHSA-2022:0634
https://access.redhat.com/errata/RHSA-2022:0368
https://security.gentoo.org/glsa/202210-22
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/errata/RHSA-2022:0254
https://nvd.nist.gov/vuln/detail/CVE-2021-3521
https://security-tracker.debian.org/tracker/CVE-2021-3521
https://github.com/rpm-software-management/rpm/pull/1795/
https://www.mend.io/vulnerability-database/CVE-2021-3521

Severity Score

Weakness Type (CWE)

Improper Verification of Cryptographic Signature

CWE-347

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us