Vulnerabilities > RPM
|2021-05-19||CVE-2021-3421|| Improper Verification of Cryptographic Signature vulnerability in multiple products |
A flaw was found in the RPM package in the read functionality.
| 4.3 |
|2021-05-19||CVE-2021-3445|| Improper Verification of Cryptographic Signature vulnerability in multiple products |
A flaw was found in libdnf's signature verification functionality in versions before 0.60.1.
| 5.1 |
|2021-04-30||CVE-2021-20266|| Out-of-bounds Read vulnerability in multiple products |
A flaw was found in RPM's hdrblobInit() in lib/header.c.
| 4.0 |
|2021-03-26||CVE-2021-20271|| Insufficient Verification of Data Authenticity vulnerability in multiple products |
A flaw was found in RPM's signature check functionality when reading a package file.
| 5.1 |
|2019-03-27||CVE-2019-3817|| Use After Free vulnerability in RPM Libcomps |
A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged.
| 6.8 |
|2018-08-13||CVE-2017-7500|| Link Following vulnerability in RPM 188.8.131.52/184.108.40.206 |
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination.
| 7.2 |
|2018-08-01||CVE-2018-10897|| Path Traversal vulnerability in multiple products |
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files.
| 9.3 |
|2017-11-22||CVE-2017-7501|| Link Following vulnerability in RPM |
It was found that versions of rpm before 220.127.116.11 use temporary files with predictable names when installing an RPM.
| 4.6 |
|2014-12-16||CVE-2014-8118|| Numeric Errors vulnerability in RPM |
Integer overflow in RPM 4.12 and earlier allows remote attackers to execute arbitrary code via a crafted CPIO header in the payload section of an RPM file, which triggers a stack-based buffer overflow.
| 10.0 |
|2014-12-16||CVE-2013-6435|| Injection vulnerability in multiple products |
Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.
| 7.6 |