PT-2018-8493 · Opensuse+1 · Libzypp+1

Moritz Duge

Published

2017-08-03

Updated

2024-06-15

CVE-2017-9269

CVSS v3.1

7.7

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions libzypp versions prior to August 2018

Description The issue concerns the incorrect pinning of GPG keys attached to YUM repositories in libzypp, allowing malicious repository mirrors to silently downgrade to unsigned repositories. This could potentially lead to the distribution of malicious content.

Recommendations For versions prior to August 2018, ensure that GPG keys are properly pinned to prevent malicious repository mirrors from downgrading to unsigned repositories. As a temporary workaround, consider restricting access to repository mirrors to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-757CWE-20

Related Identifiers

CVE-2017-9269

OPENSUSE-SU-2017_2111-1

OPENSUSE-SU-2017_2335-1

OPENSUSE-SU-2018_2739-1

OPENSUSE-SU-2024:11019-1

OPENSUSE-SU-2024:11545-1

SUSE-SU-2017:2040-1

SUSE-SU-2017:2264-1

SUSE-SU-2018:2555-1

SUSE-SU-2018:2688-1

SUSE-SU-2018:2690-1

SUSE-SU-2018:2716-1

SUSE-SU-2018:2716-2

SUSE-SU-2018:2814-1

SUSE-SU-2018_2690-1

SUSE-SU-2018_2716-1

SUSE-SU-2018_2716-2

SUSE-SU-2018_2814-1

Affected Products

Suse

Libzypp

PT-2018-8493 · Opensuse+1 · Libzypp+1

CVE-2017-9269

Weakness Enumeration

Related Identifiers

Affected Products

References · 77