{"api_version":"1","generated_at":"2026-04-23T05:58:04+00:00","cve":"CVE-2021-3521","urls":{"html":"https://cve.report/CVE-2021-3521","api":"https://cve.report/api/cve/CVE-2021-3521.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3521","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3521"},"summary":{"title":"CVE-2021-3521","description":"There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a \"binding signature.\" RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-08-22 15:15:00","updated_at":"2023-02-12 23:41:00"},"problem_types":["CWE-347"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2022:0634","name":"https://access.redhat.com/errata/RHSA-2022:0634","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1941098","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1941098","refsource":"MISC","tags":[],"title":"1941098 – (CVE-2021-3521) CVE-2021-3521 rpm: RPM does not require subkeys to have a valid binding signature","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:0254","name":"https://access.redhat.com/errata/RHSA-2022:0254","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8","name":"https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8","refsource":"MISC","tags":[],"title":"Validate and require subkey binding signatures on PGP public keys · rpm-software-management/rpm@bd36c5d · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:0368","name":"https://access.redhat.com/errata/RHSA-2022:0368","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/security/cve/CVE-2021-3521","name":"https://access.redhat.com/security/cve/CVE-2021-3521","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202210-22","name":"GLSA-202210-22","refsource":"GENTOO","tags":[],"title":"RPM: Multiple Vulnerabilities (GLSA 202210-22) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rpm-software-management/rpm/pull/1795/","name":"https://github.com/rpm-software-management/rpm/pull/1795/","refsource":"MISC","tags":[],"title":"Validate and require subkey binding signatures on PGP public keys by pmatilai · Pull Request #1795 · rpm-software-management/rpm · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3521","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3521","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3521","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rpm","cpe5":"rpm","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3521","qid":"159624","title":"Oracle Enterprise Linux Security Update for rpm (ELSA-2022-0368)"},{"cve":"CVE-2021-3521","qid":"183721","title":"Debian Security Update for rpm (CVE-2021-3521)"},{"cve":"CVE-2021-3521","qid":"240029","title":"Red Hat Update for rpm (RHSA-2022:0254)"},{"cve":"CVE-2021-3521","qid":"240052","title":"Red Hat Update for rpm (RHSA-2022:0368)"},{"cve":"CVE-2021-3521","qid":"240102","title":"Red Hat Update for rpm (RHSA-2022:0634)"},{"cve":"CVE-2021-3521","qid":"377369","title":"Alibaba Cloud Linux Security Update for rpm (ALINUX3-SA-2022:0007)"},{"cve":"CVE-2021-3521","qid":"502948","title":"Alpine Linux Security Update for rpm"},{"cve":"CVE-2021-3521","qid":"505817","title":"Alpine Linux Security Update for rpm"},{"cve":"CVE-2021-3521","qid":"671193","title":"EulerOS Security Update for rpm (EulerOS-SA-2022-1015)"},{"cve":"CVE-2021-3521","qid":"671227","title":"EulerOS Security Update for rpm (EulerOS-SA-2022-1035)"},{"cve":"CVE-2021-3521","qid":"671284","title":"EulerOS Security Update for rpm (EulerOS-SA-2022-1234)"},{"cve":"CVE-2021-3521","qid":"671300","title":"EulerOS Security Update for rpm (EulerOS-SA-2022-1215)"},{"cve":"CVE-2021-3521","qid":"672573","title":"EulerOS Security Update for rpm (EulerOS-SA-2023-1335)"},{"cve":"CVE-2021-3521","qid":"691000","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for rpm4 (0c52abde-717b-11ed-98ca-40b034429ecf)"},{"cve":"CVE-2021-3521","qid":"710651","title":"Gentoo Linux RPM Multiple Vulnerabilities (GLSA 202210-22)"},{"cve":"CVE-2021-3521","qid":"903715","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10647)"},{"cve":"CVE-2021-3521","qid":"903827","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10637)"},{"cve":"CVE-2021-3521","qid":"904106","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10647-1)"},{"cve":"CVE-2021-3521","qid":"904138","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for rpm (10637-1)"},{"cve":"CVE-2021-3521","qid":"940443","title":"AlmaLinux Security Update for rpm (ALSA-2022:0368)"},{"cve":"CVE-2021-3521","qid":"960109","title":"Rocky Linux Security Update for rpm (RLSA-2022:368)"},{"cve":"CVE-2021-3521","qid":"960692","title":"Rocky Linux Security Update for rpm (RLSA-2022:0368)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-3521","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a \"binding signature.\" RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-347 - Improper Verification of Cryptographic Signature","cweId":"CWE-347"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"RPM","version":{"version_data":[{"version_affected":"=","version_value":"Fixed in rpm-4.18.0-beta1, rpm-4.18.0-alpha2, rpm-4.18.0-alpha1 ."}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1941098","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1941098"},{"url":"https://access.redhat.com/security/cve/CVE-2021-3521","refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2021-3521"},{"url":"https://github.com/rpm-software-management/rpm/pull/1795/","refsource":"MISC","name":"https://github.com/rpm-software-management/rpm/pull/1795/"},{"url":"https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8","refsource":"MISC","name":"https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8"},{"url":"https://security.gentoo.org/glsa/202210-22","refsource":"MISC","name":"https://security.gentoo.org/glsa/202210-22"}]}},"nvd":{"publishedDate":"2022-08-22 15:15:00","lastModifiedDate":"2023-02-12 23:41:00","problem_types":["CWE-347"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM"},"exploitabilityScore":1,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:*","versionEndExcluding":"4.17.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3521","Ordinal":"207182","Title":"CVE-2021-3521","CVE":"CVE-2021-3521","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3521","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}