How severe is CVE-2016-20021?

CVE-2016-20021 has a CVSS v3 score of 9.8 (CRITICAL).

CVE-2016-20021

Name: portage
Author: gentoo

9.8CRITICAL

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-we

Опубликовано: 1/12/2024Обновлено: 6/3/2025

Описание

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

ИИ-АнализНа базе ИИ

Затронутые продукты

gentooportage

Ссылки

https://bugs.gentoo.org/597800
Issue TrackingPatch
https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
Release Notes
https://wiki.gentoo.org/wiki/Portage
Product
https://bugs.gentoo.org/597800
Issue TrackingPatch
https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
Release Notes
https://wiki.gentoo.org/wiki/Portage
Product