A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| patrick@puiterwijk.org | 7.3 | HIGH | CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H | 0.7 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | hci_compute_node | - |
| netapp | oncommand_workflow_automation | - |
| sparkle-project | sparkle | * |