Vulnerabilities > RPM

DATE CVE VULNERABILITY TITLE RISK
2022-08-26 CVE-2021-35939 Link Following vulnerability in multiple products
It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created.
local
low complexity
rpm redhat CWE-59
6.7
2022-08-25 CVE-2021-35937 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in multiple products
A race condition vulnerability was found in rpm.
local
high complexity
rpm redhat fedoraproject CWE-367
6.4
2022-08-25 CVE-2021-35938 Link Following vulnerability in multiple products
A symbolic link issue was found in rpm.
local
low complexity
rpm fedoraproject redhat CWE-59
6.7
2022-08-22 CVE-2021-3521 Improper Verification of Cryptographic Signature vulnerability in RPM
There is a flaw in RPM's signature functionality.
local
high complexity
rpm CWE-347
4.7
2021-05-19 CVE-2021-3421 Improper Verification of Cryptographic Signature vulnerability in multiple products
A flaw was found in the RPM package in the read functionality.
local
low complexity
rpm redhat fedoraproject CWE-347
5.5
2021-05-19 CVE-2021-3445 Improper Verification of Cryptographic Signature vulnerability in multiple products
A flaw was found in libdnf's signature verification functionality in versions before 0.60.1.
network
high complexity
rpm fedoraproject redhat CWE-347
7.5
2021-04-30 CVE-2021-20266 Out-of-bounds Read vulnerability in multiple products
A flaw was found in RPM's hdrblobInit() in lib/header.c.
network
low complexity
rpm fedoraproject CWE-125
4.9
2021-03-26 CVE-2021-20271 Insufficient Verification of Data Authenticity vulnerability in multiple products
A flaw was found in RPM's signature check functionality when reading a package file.
7.0
2019-03-27 CVE-2019-3817 Use After Free vulnerability in RPM Libcomps
A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged.
network
low complexity
rpm CWE-416
8.8
2018-08-13 CVE-2017-7500 Link Following vulnerability in RPM 4.13.0.1/4.14.0.0
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination.
local
low complexity
rpm CWE-59
7.8