ID CVE-2003-0546
Summary up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:up2date:3.0.7-1:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:up2date:3.0.7-1:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:up2date:3.0.7-1:*:i386_gnome:*:*:*:*:*
    cpe:2.3:a:redhat:up2date:3.0.7-1:*:i386_gnome:*:*:*:*:*
  • cpe:2.3:a:redhat:up2date:3.1.23-1:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:up2date:3.1.23-1:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:up2date:3.1.23-1:*:i386_gnome:*:*:*:*:*
    cpe:2.3:a:redhat:up2date:3.1.23-1:*:i386_gnome:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2007-04-25T19:52:38.112-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
description up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised.
family unix
id oval:org.mitre.oval:def:631
status accepted
submitted 2003-09-03T12:00:00.000-04:00
title up2date RPM GPG Signature Verification Vulnerability
version 36
redhat via4
advisories
rhsa
id RHSA-2003:255
refmap via4
Last major update 11-10-2017 - 01:29
Published 27-08-2003 - 04:00
Last modified 11-10-2017 - 01:29
Back to Top