rpm package
almalinux/rpm-plugin-fapolicyd
pkg:rpm/almalinux/rpm-plugin-fapolicyd
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-35939 | — | < 4.16.1.3-27.el9_3 | 4.16.1.3-27.el9_3 | Aug 26, 2022 | It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. | ||
| CVE-2021-35938 | — | < 4.16.1.3-27.el9_3 | 4.16.1.3-27.el9_3 | Aug 25, 2022 | A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privile | ||
| CVE-2021-35937 | — | < 4.16.1.3-27.el9_3 | 4.16.1.3-27.el9_3 | Aug 25, 2022 | A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data conf | ||
| CVE-2021-3521 | — | < 4.14.3-19.el8_5.2 | 4.14.3-19.el8_5.2 | Aug 22, 2022 | There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a ma | ||
| CVE-2021-20266 | — | < 4.14.3-19.el8 | 4.14.3-19.el8 | Apr 30, 2021 | A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability. |
- CVE-2021-35939Aug 26, 2022affected < 4.16.1.3-27.el9_3fixed 4.16.1.3-27.el9_3
It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges.
- CVE-2021-35938Aug 25, 2022affected < 4.16.1.3-27.el9_3fixed 4.16.1.3-27.el9_3
A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privile
- CVE-2021-35937Aug 25, 2022affected < 4.16.1.3-27.el9_3fixed 4.16.1.3-27.el9_3
A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data conf
- CVE-2021-3521Aug 22, 2022affected < 4.14.3-19.el8_5.2fixed 4.14.3-19.el8_5.2
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a ma
- CVE-2021-20266Apr 30, 2021affected < 4.14.3-19.el8fixed 4.14.3-19.el8
A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.