libzypp accepts unsigned 3rd party repo without warning
CVE-2017-7435

8.1HIGH

Key Information:

Vendor: Suse
Status: Libzypp
Vendor: CVE Published:; 1 March 2018

What is CVE-2017-7435?

In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

Affected Version(s)

libzypp < 20170803

References

https://lists.opensuse.org/opensuse-security-announce/201...

vendor-advisoryx_refsource_SUSE

https://www.suse.com/de-de/security/cve/CVE-2017-7435/

x_refsource_CONFIRM

https://bugzilla.suse.com/show_bug.cgi?id=1009127

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2018
Vulnerability Reserved
Apr 5, 2017

Credit

Ludwig Nussel of SUSE

Suse

What is CVE-2017-7435?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit