CVE-2021-35938 — MEDIUM (6.7)

Q: How severe is CVE-2021-35938?

CVE-2021-35938 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-35938?

Check the references section above for vendor advisories and patch information. Affected products include: Rpm Rpm, Fedoraproject Fedora, Redhat Enterprise Linux.

Vulnerability Description

A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS Score

6.7

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Rpm	Rpm	< 4.18.0
Fedoraproject	Fedora	34
Redhat	Enterprise Linux	7.0

Related Weaknesses (CWE)

CWE-59

References

https://access.redhat.com/security/cve/CVE-2021-35938Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1964114Issue TrackingVendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1157880ExploitIssue TrackingThird Party Advisory
https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef2PatchThird Party Advisory
https://github.com/rpm-software-management/rpm/pull/1919PatchThird Party Advisory
https://rpm.org/wiki/Releases/4.18.0Release Notes
https://security.gentoo.org/glsa/202210-22Third Party Advisory
https://access.redhat.com/security/cve/CVE-2021-35938Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1964114Issue TrackingVendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1157880ExploitIssue TrackingThird Party Advisory
https://github.com/rpm-software-management/rpm/commit/25a435e90844ea98fe5eb7bef2PatchThird Party Advisory
https://github.com/rpm-software-management/rpm/pull/1919PatchThird Party Advisory
https://rpm.org/wiki/Releases/4.18.0Release Notes
https://security.gentoo.org/glsa/202210-22Third Party Advisory

FAQ

What is CVE-2021-35938?

CVE-2021-35938 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original ...

How severe is CVE-2021-35938?

CVE-2021-35938 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-35938?

Check the references section above for vendor advisories and patch information. Affected products include: Rpm Rpm, Fedoraproject Fedora, Redhat Enterprise Linux.