CVE-2016-20021

CRITICAL EPSS 36.8%

Published Jan 12, 20242y ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published Jan 12, 2024 2y ago

Last Modified Jun 17, 2026 1w ago

Description

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Unless emerge-webrsync is used, Portage is not vulnerable.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

36.8% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-347

Affected Products 1

Vendor	Product	Version	Range
gentoo	portage	*	<3.0.47

References 3

bugs.gentoo.org https://bugs.gentoo.org/597800

Issue TrackingPatch
gitweb.gentoo.org https://gitweb.gentoo.org/proj/portage.git/tree/NEWS

Release Notes
wiki.gentoo.org https://wiki.gentoo.org/wiki/Portage

Product

Remediation

bugs.gentoo.org https://bugs.gentoo.org/597800

Issue TrackingPatch