Normal when checking the system I see that rpm is present and according to the scan it is susceptible to the above mentioned CVE-2021-3421.
{
"id":"CVE-2021-3421",
"is_known_exploited_vuln":false,
"description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.",
"urls":[
"https://nvd.nist.gov/vuln/detail/CVE-2021-3421",
"https://bugzilla.redhat.com/show_bug.cgi?id=1927747",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/",
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/",
"https://security.gentoo.org/glsa/202107-43"
]
Overall a small impact due to the Funtoo system characteristics but it does make it possible.
To eliminate CVE please upgrade to the latest version available on RPM.org Timeline:
http://rpm.org/timeline
Additionally, I would consider moving to the sys-apps category where we have portage because from my point of view it is the same package manager as emerge which is in sys-apps / portage
