CVE-2021-20271
Published on: 03/26/2021 12:00:00 AM UTC
Last Modified on: 02/02/2023 09:20:00 PM UTC
Certain versions of Fedora from Fedoraproject contain the following vulnerability:
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
- CVE-2021-20271 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity.
CVSS3 Score: 7 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | HIGH | NONE | REQUIRED |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 5.1 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | HIGH | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| PARTIAL | PARTIAL | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| [SECURITY] Fedora 34 Update: rpm-4.16.1.3-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
MISC lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/ |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHSA-2021:4785 |
| CVE-2021-20271 RPM issue in StarWind products | www.starwindsoftware.com text/html |
MISC www.starwindsoftware.com/security/sw-20220805-0002/ |
| Be much more careful about copying data from the signature header · rpm-software-management/[email protected] · GitHub | github.com text/html |
MISC github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 |
| [SECURITY] Fedora 33 Update: rpm-4.16.1.3-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
MISC lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/ |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHSA-2021:2791 |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHSA-2021:4975 |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/security/cve/CVE-2021-20271 |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHBA-2021:2854 |
| [SECURITY] Fedora 32 Update: rpm-4.15.1.1-1.fc32.1 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
MISC lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/ |
| RPM: Multiple vulnerabilities (GLSA 202107-43) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202107-43 |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHSA-2021:4771 |
| 1934125 – (CVE-2021-20271) CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package | bugzilla.redhat.com text/html |
MISC bugzilla.redhat.com/show_bug.cgi?id=1934125 |
| Red Hat Customer Portal - Access to 24x7 support and knowledge | access.redhat.com text/html |
MISC access.redhat.com/errata/RHSA-2021:2574 |
Related QID Numbers
- 159287 Oracle Enterprise Linux Security Update for rpm (ELSA-2021-2574)
- 159540 Oracle Enterprise Linux Security Update for rpm (ELSA-2021-4785)
- 180326 Debian Security Update for rpm (CVE-2021-20271)
- 239466 Red Hat Update for rpm (RHSA-2021:2574)
- 239493 Red Hat Update for rpm (RHSA-2021:2791)
- 239907 Red Hat Update for rpm (RHSA-2021:4785)
- 257130 CentOS Security Update for rpm (CESA-2021:4785)
- 281435 Fedora Security Update for rpm (FEDORA-2021-662680e477)
- 281436 Fedora Security Update for rpm (FEDORA-2021-8d52a8a999)
- 281437 Fedora Security Update for rpm (FEDORA-2021-2383d950fd)
- 330113 IBM AIX Multiple Vulnerabilities due to RPM (rpm_advisory)
- 352470 Amazon Linux Security Advisory for rpm: ALAS-2021-1521
- 352485 Amazon Linux Security Advisory for rpm: ALAS2-2021-1689
- 377409 Alibaba Cloud Linux Security Update for rpm (ALINUX3-SA-2021:0046)
- 377532 Alibaba Cloud Linux Security Update for rpm (ALINUX2-SA-2021:0067)
- 501685 Alpine Linux Security Update for rpm
- 670407 EulerOS Security Update for rpm (EulerOS-SA-2021-1992)
- 670496 EulerOS Security Update for rpm (EulerOS-SA-2021-2254)
- 670522 EulerOS Security Update for rpm (EulerOS-SA-2021-2280)
- 670588 EulerOS Security Update for rpm (EulerOS-SA-2021-2346)
- 670685 EulerOS Security Update for rpm (EulerOS-SA-2021-2443)
- 671014 EulerOS Security Update for rpm (EulerOS-SA-2021-2613)
- 710026 Gentoo Linux RPM Multiple vulnerabilities (GLSA 202107-43)
- 730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
- 750965 OpenSUSE Security Update for libdnf (openSUSE-SU-2021:2685-1)
- 750981 OpenSUSE Security Update for rpm (openSUSE-SU-2021:2682-1)
- 751248 OpenSUSE Security Update for rpm (openSUSE-SU-2021:1366-1)
- 752786 SUSE Enterprise Linux Security Update for rpm (SUSE-SU-2022:3939-1)
- 900173 CBL-Mariner Linux Security Update for rpm 4.14.2
- 903101 Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (4031)
- 940261 AlmaLinux Security Update for rpm (ALSA-2021:2574)
- 960068 Rocky Linux Security Update for rpm (RLSA-2021:2574)
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Application | Rpm | Rpm | All | All | All | All |
| Application | Rpm | Rpm | 4.15.0 | alpha | All | All |
| Application | Rpm | Rpm | 4.15.0 | beta1 | All | All |
| Application | Rpm | Rpm | 4.15.0 | rc1 | All | All |
| Application | Rpm | Rpm | 4.16.0 | alpha | All | All |
| Application | Rpm | Rpm | 4.16.0 | beta2 | All | All |
| Application | Rpm | Rpm | 4.16.0 | beta3 | All | All |
| Application | Rpm | Rpm | 4.16.0 | rc1 | All | All |
| Application | Starwindsoftware | Starwind Virtual San | v8 | build14398 | All | All |
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.15.0:alpha:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.15.0:beta1:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.15.0:rc1:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.16.0:alpha:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.16.0:beta2:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.16.0:beta3:*:*:*:*:*:*:
- cpe:2.3:a:rpm:rpm:4.16.0:rc1:*:*:*:*:*:*:
- cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build14398:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 /r/sysadmin |
PSA for all RHEL/CentOS admins: enable `repo_gpgcheck=1` for all repos NOW | 2021-04-28 00:19:24 |
| /r/CentOS |
CVE-2021-20271 Mitigation | 2021-06-07 09:02:51 |
| /r/nutanix |
AOS 5.20.3 available! | 2022-01-25 08:34:08 |