CVE-2014-0022

CVSS V2 Medium 5 CVSS V3 None
Description
The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package.
Overview
  • CVE ID
  • CVE-2014-0022
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2014-01-26T16:58:11
  • Last Modified Date
  • 2023-02-13T00:29:57
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:baseurl:yum:*:*:*:*:*:*:*:* 1 OR 3.4.3
cpe:2.3:a:baseurl:yum:3.4.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:baseurl:yum:3.4.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:baseurl:yum:3.4.2:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:N/C:N/I:P/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • PARTIAL
  • Availability Impact
  • NONE
  • Base Score
  • 5
  • Severity
  • MEDIUM
  • Exploitability Score
  • 10
  • Impact Score
  • 2.9
History
Created Old Value New Value Data Type Notes
2022-05-10 10:38:33 Added to TrackCVE
2022-12-01 21:42:13 2014-01-26T16:58Z 2014-01-26T16:58:11 CVE Published Date updated
2022-12-01 21:42:13 2014-01-27T17:20:03 CVE Modified Date updated
2022-12-01 21:42:13 Analyzed Vulnerability Status updated
2023-02-02 17:04:20 2023-02-02T16:15:24 CVE Modified Date updated
2023-02-02 17:04:20 Analyzed Modified Vulnerability Status updated
2023-02-02 17:04:21 The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package. It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key. Description updated
2023-02-02 17:04:22 References updated
2023-02-13 01:04:37 2023-02-13T00:29:57 CVE Modified Date updated
2023-02-13 01:04:38 It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key. The installUpdates function in yum-cron/yum-cron.py in yum 3.4.3 and earlier does not properly check the return value of the sigCheckPkg function, which allows remote attackers to bypass the RMP package signing restriction via an unsigned package. Description updated