CVE-2017-2623

Published: Jul 27, 2018Modified: Nov 21, 2024

5.3

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

Affected (3)

Products: Rpm Ostree: Rpm Ostree, Rpm Ostree Client · Redhat: Enterprise Linux

2 products

Rpm Ostree Client

1 product

Enterprise Linux

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Rpm Ostree Rpm Ostree	Before 2017.3
Rpm Ostree Rpm Ostree Client	Before 2017.3

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 7.0

Related CWEs

Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

References (6)

http://www.securityfocus.com/bid/96558

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:0444

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

http://www.securityfocus.com/bid/96558

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:0444

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.