lack of keypinning in libzypp could lead to repository switching
CVE-2017-9269

7.7HIGH

Key Information:

Vendor: Suse
Status: Libzypp
Vendor: CVE Published:; 1 March 2018

Summary

In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.

Affected Version(s)

libzypp < 201808

References

https://lists.opensuse.org/opensuse-security-announce/201...

vendor-advisoryx_refsource_SUSE

https://bugzilla.suse.com/show_bug.cgi?id=1045735

x_refsource_CONFIRM

https://www.suse.com/de-de/security/cve/CVE-2017-9269/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2018
Vulnerability Reserved
May 29, 2017

Credit

Moritz Duge and Till Doerges from PRESENSE