Unrated severityNVD Advisory· Published Mar 1, 2018· Updated Sep 16, 2024
libzypp accepts unsigned 3rd party repo without warning
CVE-2017-7435
Description
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
25- osv-coords24 versionspkg:rpm/opensuse/libzypp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/libzypp&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/yast2-pkg-bindings-devel-doc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/yast2-pkg-bindings&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/yast2-pkg-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/yast2-pkg-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/zypper&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2
< 17.28.4-1.2+ 23 more
- (no CPE)range: < 17.28.4-1.2
- (no CPE)range: < 16.15.2-27.21.1
- (no CPE)range: < 16.15.3-2.3.1
- (no CPE)range: < 15.25.17-46.22.1
- (no CPE)range: < 16.15.2-27.21.1
- (no CPE)range: < 16.15.3-2.3.1
- (no CPE)range: < 14.45.17-2.82.1
- (no CPE)range: < 16.15.2-27.21.1
- (no CPE)range: < 15.25.17-46.22.1
- (no CPE)range: < 16.15.2-27.21.1
- (no CPE)range: < 16.15.3-2.3.1
- (no CPE)range: < 16.15.2-27.21.1
- (no CPE)range: < 16.15.3-2.3.1
- (no CPE)range: < 3.2.4-2.3.1
- (no CPE)range: < 3.2.4-2.3.1
- (no CPE)range: < 3.2.4-2.3.1
- (no CPE)range: < 3.2.4-2.3.1
- (no CPE)range: < 1.13.30-18.13.3
- (no CPE)range: < 1.12.59-46.10.1
- (no CPE)range: < 1.13.30-18.13.3
- (no CPE)range: < 1.11.70-2.69.2
- (no CPE)range: < 1.13.30-18.13.3
- (no CPE)range: < 1.12.59-46.10.1
- (no CPE)range: < 1.13.30-18.13.3
- SUSE/libzyppv5Range: unspecified
Patches
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
3- lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.htmlmitrevendor-advisoryx_refsource_SUSE
- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
- www.suse.com/de-de/security/cve/CVE-2017-7435/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.