CVE-2017-2623 MEDIUM

CVE-2017-2623

Vendor Project Atomic
Product rpm-ostree,
Weakness CWE-295
Published July 27, 2018
Last update August 5, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.

Key dates

02Disclosure timeline

July 27, 2018 CVE published
August 5, 2024 Record updated