icon

We found results for “

CVE-2021-3521

Good to know:

Date: April 28, 2021

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature."[1] RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. 1. https://tools.ietf.org/html/rfc4880#section-5.2.1

Severity Score

Severity Score

Top Fix

icon

Upgrade Version

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us