{"id":"CVE-2021-20271","details":"A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.","modified":"2026-04-10T04:29:16.880482Z","published":"2021-03-26T17:15:13Z","related":["MGASA-2021-0167","SUSE-SU-2021:2682-1","SUSE-SU-2021:3444-1","SUSE-SU-2022:3939-1","openSUSE-SU-2021:1366-1","openSUSE-SU-2021:2682-1","openSUSE-SU-2021:2685-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-43"},{"type":"ADVISORY","url":"https://www.starwindsoftware.com/security/sw-20220805-0002/"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934125"},{"type":"FIX","url":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rpm-software-management/rpm","events":[{"introduced":"8c6c17759781da75c6aff861fab721d91269c0f9"},{"fixed":"a8eade3f53f9c64543813eac8cd5dad392eaae3b"},{"introduced":"cd7f9303ef1070f027493cad7d00bc66935af2a0"},{"fixed":"3659b8a04f5b8bacf6535e0124e7fe23f15286bd"},{"introduced":"0"},{"last_affected":"a071f1d0dfcb801c5cf11cc2d716abfa23f8c1ad"},{"introduced":"0"},{"last_affected":"696349830dab24ebe8e98391e60a7d8ca4c6ed66"},{"introduced":"0"},{"last_affected":"4b966110f47b7128cce5bc7143fe4380693d482b"},{"introduced":"0"},{"last_affected":"6811aa3803e30fdfe4c106657956bdde251eaeab"},{"introduced":"0"},{"last_affected":"2f127502096c359de6c9feb18f401dd51c8b98a7"},{"introduced":"0"},{"last_affected":"b210c486f531d805b2b8ca950f3748db572d18e9"},{"introduced":"0"},{"last_affected":"32a49f73d760f4162a37188073efd6bf5d464d9b"},{"fixed":"d6a86b5e69e46cc283b1e06c92343319beb42e21"}],"database_specific":{"versions":[{"introduced":"4.15.0"},{"fixed":"4.15.1.3"},{"introduced":"4.16.0"},{"fixed":"4.16.1.3"},{"introduced":"0"},{"last_affected":"4.15.0-alpha"},{"introduced":"0"},{"last_affected":"4.15.0-beta1"},{"introduced":"0"},{"last_affected":"4.15.0-rc1"},{"introduced":"0"},{"last_affected":"4.16.0-alpha"},{"introduced":"0"},{"last_affected":"4.16.0-beta2"},{"introduced":"0"},{"last_affected":"4.16.0-beta3"},{"introduced":"0"},{"last_affected":"4.16.0-rc1"}]}}],"versions":["rpm-4.11.0-alpha","rpm-4.12.0-alpha","rpm-4.13.0-alpha","rpm-4.15.0-alpha","rpm-4.15.0-beta1","rpm-4.15.0-rc1","rpm-4.15.0-release","rpm-4.15.1-release","rpm-4.16.0-alpha","rpm-4.16.0-beta2","rpm-4.16.0-beta3","rpm-4.16.0-rc1","rpm-4.16.0-release","rpm-4.16.1-release","rpm-4.16.1.1-release","rpm-4.16.1.2-release","rpm-4.4-release","rpm-4.4.1-release","rpm-4.4.2-release","rpm-4.4.2.1-rc1","rpm-4.4.2.1-rc2","rpm-4.8.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-20271.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"v8-build14398"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}