Public Date:
CWE-252 -> CWE-347
1057377: CVE-2014-0022 yum: yum-cron installs unsigned packages
It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.

Find out more about CVE-2014-0022 from the MITRE CVE dictionary dictionary and NIST NVD.


This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 6 and 7.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 7.6
Base Metrics AV:N/AC:H/Au:N/C:C/I:C/A:C
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux version 5 (yum-updatesd) RHSA-2014:1004 2014-08-05

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 yum Not affected
Red Hat Enterprise Linux 6 yum Not affected