CVE-2021-35938

Summary

A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected Software

VendorProductVersion RangeStatus
n/aRPMFixed in rpm v4.18.0affected

Weaknesses

  • CWE-59: CWE-59 - Improper Link Resolution Before File Access ('Link Following')

ADP Enrichment

CVE Program Container

Additional References

References