CVE-2021-20271

Summary

CVE	CVE-2021-20271
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-03-26 17:15:00 UTC
Updated	2023-02-12 22:15:00 UTC
Description	A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Risk And Classification

Problem Types: CWE-345

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Rpm	Rpm	All	All	All	All
Application	Rpm	Rpm	4.15.0	alpha	All	All
Application	Rpm	Rpm	4.15.0	beta1	All	All
Application	Rpm	Rpm	4.15.0	rc1	All	All
Application	Rpm	Rpm	4.16.0	alpha	All	All
Application	Rpm	Rpm	4.16.0	beta2	All	All
Application	Rpm	Rpm	4.16.0	beta3	All	All
Application	Rpm	Rpm	4.16.0	rc1	All	All
Application	Starwindsoftware	Starwind Virtual San	v8	build14398	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 34 Update: rpm-4.16.1.3-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
CVE-2021-20271 RPM issue in StarWind products	MISC	www.starwindsoftware.com
Be much more careful about copying data from the signature header · rpm-software-management/rpm@d6a86b5 · GitHub	MISC	github.com
[SECURITY] Fedora 33 Update: rpm-4.16.1.3-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
[SECURITY] Fedora 32 Update: rpm-4.15.1.1-1.fc32.1 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
RPM: Multiple vulnerabilities (GLSA 202107-43) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] Fedora 34 Update: rpm-4.16.1.3-1.fc34 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
[SECURITY] Fedora 33 Update: rpm-4.16.1.3-1.fc33 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 32 Update: rpm-4.15.1.1-1.fc32.1 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
1934125 – (CVE-2021-20271) CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package	MISC	bugzilla.redhat.com
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

159287 Oracle Enterprise Linux Security Update for rpm (ELSA-2021-2574)
159540 Oracle Enterprise Linux Security Update for rpm (ELSA-2021-4785)
180326 Debian Security Update for rpm (CVE-2021-20271)
239466 Red Hat Update for rpm (RHSA-2021:2574)
239493 Red Hat Update for rpm (RHSA-2021:2791)
239907 Red Hat Update for rpm (RHSA-2021:4785)
257130 CentOS Security Update for rpm (CESA-2021:4785)
281435 Fedora Security Update for rpm (FEDORA-2021-662680e477)
281436 Fedora Security Update for rpm (FEDORA-2021-8d52a8a999)
281437 Fedora Security Update for rpm (FEDORA-2021-2383d950fd)
330113 IBM AIX Multiple Vulnerabilities due to RPM (rpm_advisory)
352470 Amazon Linux Security Advisory for rpm: ALAS-2021-1521
352485 Amazon Linux Security Advisory for rpm: ALAS2-2021-1689
377409 Alibaba Cloud Linux Security Update for rpm (ALINUX3-SA-2021:0046)
377532 Alibaba Cloud Linux Security Update for rpm (ALINUX2-SA-2021:0067)
501685 Alpine Linux Security Update for rpm
670407 EulerOS Security Update for rpm (EulerOS-SA-2021-1992)
670496 EulerOS Security Update for rpm (EulerOS-SA-2021-2254)
670522 EulerOS Security Update for rpm (EulerOS-SA-2021-2280)
670588 EulerOS Security Update for rpm (EulerOS-SA-2021-2346)
670685 EulerOS Security Update for rpm (EulerOS-SA-2021-2443)
671014 EulerOS Security Update for rpm (EulerOS-SA-2021-2613)
710026 Gentoo Linux RPM Multiple vulnerabilities (GLSA 202107-43)
730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
750965 OpenSUSE Security Update for libdnf (openSUSE-SU-2021:2685-1)
750981 OpenSUSE Security Update for rpm (openSUSE-SU-2021:2682-1)
751248 OpenSUSE Security Update for rpm (openSUSE-SU-2021:1366-1)
752786 SUSE Enterprise Linux Security Update for rpm (SUSE-SU-2022:3939-1)
900173 CBL-Mariner Linux Security Update for rpm 4.14.2
903101 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (4031)
940261 AlmaLinux Security Update for rpm (ALSA-2021:2574)
960068 Rocky Linux Security Update for rpm (RLSA-2021:2574)