CVE-2017-7436

EPSS 0.45%
Veröffentlicht 01.03.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 03:31:53
Quelle security@opentext.com
CVE-Watchlists
Login
Unerledigt
Login

libzypp accepts unsigned packages even when configured to check signatures

In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensuse ≫ Libzypp Version <= 16.15.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.45%	0.635

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
security@opentext.com	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.html

https://bugzilla.suse.com/show_bug.cgi?id=1038984

https://www.suse.com/de-de/security/cve/CVE-2017-7436/

https://nvd.nist.gov/vuln/detail/CVE-2017-7436

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-7436

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-7436

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2017-7436