CVE-2020-10759
N/A
N/A
Summary
A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | fwupd | all verions of fwupd | affected |
Weaknesses
- CWE-347: CWE-347
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
- https://bugzilla.redhat.com/show_bug.cgi?id=1844316
References
- https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
- https://bugzilla.redhat.com/show_bug.cgi?id=1844316
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.