CVE-2017-7435 HIGH

CVE-2017-7435: libzypp accepts unsigned 3rd party repo without warning

Vendor Suse
Product libzypp
Published March 1, 2018
Last update September 16, 2024

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

Key dates

02Disclosure timeline

March 1, 2018 CVE published
September 16, 2024 Record updated