{"api_version":"1","generated_at":"2026-04-23T05:58:02+00:00","cve":"CVE-2021-3445","urls":{"html":"https://cve.report/CVE-2021-3445","api":"https://cve.report/api/cve/CVE-2021-3445.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3445","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3445"},"summary":{"title":"CVE-2021-3445","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-05-19 14:15:00","updated_at":"2023-11-07 03:38:00"},"problem_types":["CWE-347"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/","name":"FEDORA-2021-eadfc56b95","refsource":"","tags":[],"title":"[SECURITY] Fedora 33 Update: rpm-ostree-2021.4-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/","name":"FEDORA-2021-c6802f0b69","refsource":"","tags":[],"title":"[SECURITY] Fedora 34 Update: rpm-ostree-2021.4-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/","name":"FEDORA-2021-eadfc56b95","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 33 Update: rpm-ostree-2021.4-1.fc33 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932079","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1932079","refsource":"MISC","tags":[],"title":"1932079 – (CVE-2021-3445) CVE-2021-3445 libdnf: libdnf does its own signature verification, but this can be tricked by placing a signature in the main header","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/","name":"FEDORA-2021-c6802f0b69","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: rpm-ostree-2021.4-1.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3445","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3445","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3445","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"33","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3445","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3445","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3445","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rpm","cpe5":"libdnf","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3445","qid":"159517","title":"Oracle Enterprise Linux Security Update for dnf (ELSA-2021-4464)"},{"cve":"CVE-2021-3445","qid":"179923","title":"Debian Security Update for libdnf (CVE-2021-3445)"},{"cve":"CVE-2021-3445","qid":"239847","title":"Red Hat Update for dnf (RHSA-2021:4464)"},{"cve":"CVE-2021-3445","qid":"281318","title":"Fedora Security Update for rpm (FEDORA-2021-eadfc56b95)"},{"cve":"CVE-2021-3445","qid":"281319","title":"Fedora Security Update for rpm (FEDORA-2021-c6802f0b69)"},{"cve":"CVE-2021-3445","qid":"670710","title":"EulerOS Security Update for libdnf (EulerOS-SA-2021-2468)"},{"cve":"CVE-2021-3445","qid":"670773","title":"EulerOS Security Update for libdnf (EulerOS-SA-2021-2531)"},{"cve":"CVE-2021-3445","qid":"670797","title":"EulerOS Security Update for libdnf (EulerOS-SA-2021-2555)"},{"cve":"CVE-2021-3445","qid":"670934","title":"EulerOS Security Update for libdnf (EulerOS-SA-2021-2468)"},{"cve":"CVE-2021-3445","qid":"750965","title":"OpenSUSE Security Update for libdnf (openSUSE-SU-2021:2685-1)"},{"cve":"CVE-2021-3445","qid":"900043","title":"CBL-Mariner Linux Security Update for libdnf 0.43.1"},{"cve":"CVE-2021-3445","qid":"902828","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for libdnf (4245)"},{"cve":"CVE-2021-3445","qid":"940302","title":"AlmaLinux Security Update for dnf (ALSA-2021:4464)"},{"cve":"CVE-2021-3445","qid":"960804","title":"Rocky Linux Security Update for dnf (RLSA-2021:4464)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-3445","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"libdnf","version":{"version_data":[{"version_value":"libdnf 0.60.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-347"}]}]},"references":{"reference_data":[{"refsource":"FEDORA","name":"FEDORA-2021-eadfc56b95","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4NL7TNWAHJ6JVRABQUPWHKKCTHUZMNF/"},{"refsource":"FEDORA","name":"FEDORA-2021-c6802f0b69","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPMFGGQ5T6WVFTFX3OKMVTTM5O4EXWZR/"},{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1932079","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1932079"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability."}]}},"nvd":{"publishedDate":"2021-05-19 14:15:00","lastModifiedDate":"2023-11-07 03:38:00","problem_types":["CWE-347"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:H/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"HIGH","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":5.1},"severity":"MEDIUM","exploitabilityScore":4.9,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rpm:libdnf:*:*:*:*:*:*:*:*","versionEndExcluding":"0.60.1","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3445","Ordinal":"203663","Title":"CVE-2021-3445","CVE":"CVE-2021-3445","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3445","Ordinal":"1","NoteData":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"3445","Ordinal":"2","NoteData":"2021-05-19","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"3445","Ordinal":"3","NoteData":"2021-05-19","Type":"Other","Title":"Modified"}]}}}