Skip to main content

Portage

2 CVEs product

Monthly

CVE-2016-20021 PyPI CRITICAL PATCH Act Now

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Portage
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2013-2100 PyPI CRITICAL POC PATCH Act Now

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Portage
NVD
CVSS 2.0
9.3
EPSS
0.6%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Portage
NVD
EPSS 1% CVSS 9.3
CRITICAL POC PATCH Act Now

The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available.

Information Disclosure Portage
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy