PT-2018-8493 · Opensuse+1 · Libzypp+1

Moritz Duge

Publicado

2017-08-03

Atualizado

2024-06-15

CVE-2017-9269

CVSS v3.1

7.7

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions libzypp versions prior to August 2018

Description The issue concerns the incorrect pinning of GPG keys attached to YUM repositories in libzypp, allowing malicious repository mirrors to silently downgrade to unsigned repositories. This could potentially lead to the distribution of malicious content.

Recommendations For versions prior to August 2018, ensure that GPG keys are properly pinned to prevent malicious repository mirrors from downgrading to unsigned repositories. As a temporary workaround, consider restricting access to repository mirrors to minimize the risk of exploitation.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-757CWE-20

Identificadores relacionados

CVE-2017-9269

OPENSUSE-SU-2017_2111-1

OPENSUSE-SU-2017_2335-1

OPENSUSE-SU-2018_2739-1

OPENSUSE-SU-2024:11019-1

OPENSUSE-SU-2024:11545-1

SUSE-SU-2017:2040-1

SUSE-SU-2017:2264-1

SUSE-SU-2018:2555-1

SUSE-SU-2018:2688-1

SUSE-SU-2018:2690-1

SUSE-SU-2018:2716-1

SUSE-SU-2018:2716-2

SUSE-SU-2018:2814-1

SUSE-SU-2018_2690-1

SUSE-SU-2018_2716-1

SUSE-SU-2018_2716-2

SUSE-SU-2018_2814-1

Produtos afetados

Suse

Libzypp

PT-2018-8493 · Opensuse+1 · Libzypp+1

CVE-2017-9269

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 77