How severe is CVE-2016-20021?

CVE-2016-20021 has a CVSS v3 score of 9.8 (CRITICAL).

CVE-2016-20021

Name: portage
Author: gentoo

9.8CRITICAL

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-we

发布于: 1/12/2024更新于: 6/3/2025

描述

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

AI分析AI驱动

受影响产品

gentooportage

参考资料

https://bugs.gentoo.org/597800
Issue TrackingPatch
https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
Release Notes
https://wiki.gentoo.org/wiki/Portage
Product
https://bugs.gentoo.org/597800
Issue TrackingPatch
https://gitweb.gentoo.org/proj/portage.git/tree/NEWS
Release Notes
https://wiki.gentoo.org/wiki/Portage
Product