9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2016-20021

GHSA ID

GHSA-pw5x-x5jw-ccmh

EPSS Score

0.16377%

CWE

CWE-347

Published

1/12/2024

Updated

8/30/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-20021

CVE-2016-20021: Gentoo Portage missing PGP validation of executed code

In Gentoo Portage before 3.0.47, there is missing PGP validation of executed code: the standalone emerge-webrsync downloads a .gpgsig file but does not perform signature verification.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-20021

CVE-2016-20021:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2016-20021

GHSA ID

GHSA-pw5x-x5jw-ccmh

EPSS Score

0.16377%

CWE

CWE-347

Published

1/12/2024

Updated

8/30/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
portage	pip	>= 0, < 3.0.47	3.0.47

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing PGP validation in emerge-webrsync's handling of webrsync snapshots. The commit 28cd240 explicitly adds PGP verification via gemato and reworks the check_file_signature logic. The diff shows:

Original check_file_signature lacked proper verification flows (relying on deprecated webrsync-gpg)
do_snapshot fetched .gpgsig but didn't validate unless explicitly configured
The patch introduces WEBRSYNC_VERIFY_SIGNATURE handling and gemato integration, confirming the prior absence of validation. These functions were directly responsible for the insecure behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-20021: Gentoo Portage missing PGP validation of executed code

CVE-2016-20021:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.8

9.8

Basic Information

Basic Information

CVE-2016-20021: Gentoo Portage missing PGP validation of executed code

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI