QwikSec

Security Database

CVE

CWE

Training

CVE-2020-10759

Published: Sep 15, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

A PGP signature bypass flaw was found in fwupd (all versions), which could lead to the installation of unsigned firmware. As per upstream, a signature bypass is theoretically possible, but not practical because the Linux Vendor Firmware Service (LVFS) is either not implemented or enabled in versions of fwupd shipped with Red Hat Enterprise Linux 7 and 8. The highest threat from this vulnerability is to confidentiality and integrity.

Vendor	Product	Versions
n/a	fwupd	affected `all verions of fwupd`

Weaknesses (CWE)

References

https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=1844316

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.