CVE-2017-9269 HIGH

CVE-2017-9269: lack of keypinning in libzypp could lead to repository switching

Vendor Suse
Product libzypp
Weakness CWE-757
Published March 1, 2018
Last update September 17, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

What the vulnerability does

01Description

In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.

Key dates

02Disclosure timeline

March 1, 2018 CVE published
September 17, 2024 Record updated