CVE-2021-20271

Description

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

How to fix CVE-2021-20271

To remediate CVE-2021-20271, upgrade the affected package to a fixed version below.

—upgrade to 4.16.1.2+dfsg1-1 or later

Is CVE-2021-20271 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.16.1.2+dfsg1-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-20271