CVE-2021-20271
- Source
- https://cve.org/CVERecord?id=CVE-2021-20271
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20271.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-20271
- Downstream
- Related
- Published
- 2021-03-26T17:15:13Z
- Modified
- 2026-03-15T22:38:58.308902Z
- Severity
-
- 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
- https://security.gentoo.org/glsa/202107-43
- https://www.starwindsoftware.com/security/sw-20220805-0002/
- https://bugzilla.redhat.com/show_bug.cgi?id=1934125
- https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
Affected packages
Git / github.com/rpm-software-management/rpm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/rpm-software-management/rpm
- Events
-
IntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedFixed
- Database specific
{ "versions": [ { "introduced": "4.15.0" }, { "fixed": "4.15.1.3" }, { "introduced": "4.16.0" }, { "fixed": "4.16.1.3" }, { "introduced": "0" }, { "last_affected": "4.15.0-alpha" }, { "introduced": "0" }, { "last_affected": "4.15.0-beta1" }, { "introduced": "0" }, { "last_affected": "4.15.0-rc1" }, { "introduced": "0" }, { "last_affected": "4.16.0-alpha" }, { "introduced": "0" }, { "last_affected": "4.16.0-beta2" }, { "introduced": "0" }, { "last_affected": "4.16.0-beta3" }, { "introduced": "0" }, { "last_affected": "4.16.0-rc1" } ] }
Affected versions
rpm-4.*
rpm-4.15.0-release
rpm-4.16.0-release
rpm-4.16.1-release
rpm-4.16.1.1-release
rpm-4.16.1.2-release
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20271.json"
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "32"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "34"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "v8-build14398"
}
]
}
]
vanir_signatures
[
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "20048171095207656906286157320215457454",
"length": 1162.0
},
"source": "https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21",
"id": "CVE-2021-20271-a263355a",
"target": {
"file": "lib/package.c",
"function": "rpmReadPackageFile"
}
},
{
"deprecated": false,
"signature_type": "Function",
"signature_version": "v1",
"digest": {
"function_hash": "42007002990315704298120220962834331013",
"length": 1479.0
},
"source": "https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21",
"id": "CVE-2021-20271-bb178e26",
"target": {
"file": "lib/package.c",
"function": "headerMergeLegacySigs"
}
},
{
"deprecated": false,
"signature_type": "Line",
"signature_version": "v1",
"digest": {
"line_hashes": [
"24275801739176814445790225036514810367",
"146449676550170976494015790418581282484",
"59692120730519522461031139487139021994",
"237438668882707351528086875273107835415",
"188253714955682294875770722574693963655",
"95712636666319716016571947362863082458",
"92311055355198149853447891803132470773",
"42131774137503273138337216115590656444",
"153884652419611992565169832839796207502",
"74644144116301880418020155257845471982",
"2104988193872832483380127340680905878",
"234443884060578478950190847478188321346",
"167475506737928333071182665248974898425",
"157394582667230566873922788279107459757",
"82059186512116620320158458564266100352",
"233485225200727645330135368487841999587",
"85657501174146104478799331414154896576",
"174870900622258089107480236762771057153",
"34907199479596137037591206953449485309",
"321147128575744151003330869327601389016",
"303393578101490065906516034843403880281",
"318437721489588304315821989682496995184",
"38006337004050367849014125494971575537",
"175061254615743437520094884364105697233",
"77363606146383857009656345556156423230",
"186480394492936430498021022304037294784",
"181770857753770097517746901524745191908",
"30913405040175035534764784102056841699",
"236889513680266079035851799639803890533",
"194114407232039335095556079570329067676",
"249022990065958714816111991339255160395",
"54960641298191277884886659083762790780",
"127992657957590043811760327646776932046",
"304698036602247774143869017978433554732",
"250744351131081829530625072565675217722",
"36656784869560343249949288503597589348",
"170547716959680533076677559189261145640",
"121713541064240962798640750646580808579",
"186762389796691736500395706047092641008",
"23200626527644494473308427936974857811",
"154918870431555591112890759389551536328",
"291858413894433898125463120663368392364",
"225718472791953043972022796009114754190",
"108801656677693814302435191275033585710",
"193447927343475926499602080310565766494",
"113550618227067861099788710945551064385",
"274435711931836628681103840266923684609",
"108891629451031021363620012033597097014",
"157902946756436242482462236470357416589",
"304063467140049501021933125641651087250",
"102707166771665844076021244975419672366",
"294336125026284019428175307101295050889",
"116851542740175563369683430539555981016",
"216200495206398465997049687262527180217",
"79191873615801662582418252464382605832",
"164978430970920805091239061673019719106",
"282921449663537929048759682202928539995",
"90973143989974989522332153355976316126",
"287245724537977820385873217815643351515",
"44802529730012567971170220922554565749",
"268690657842368192836387303599115813050",
"144010947238307124958539323349633054015",
"14672178449306596253776894693424682853",
"254948836728881060187961985032227148746",
"224914003870438559021890205490402143160",
"96805489812739485968183963160616398206",
"236564457060156221558607823212047790920",
"48978219028165198047704726192602746515",
"297977904474851821660162425641097275999",
"8984916548224638021709965003739438299",
"255246192547716801015089390704859725892",
"33918144162416462101818060040215351961",
"170964427126840192885688019616971642955",
"105311074047723310597162550352577188475",
"67340489106477276261440066076091306008",
"61220301857844028518512203141058005866",
"25397590813383690955468288709214786215",
"68862407019424048919648730631461319197"
],
"threshold": 0.9
},
"source": "https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21",
"id": "CVE-2021-20271-c02cf37b",
"target": {
"file": "lib/package.c"
}
}
]