CVE-2017-7436

CWE-20Improper Input Validation5 documents5 sources
Severity
8.1HIGH
EPSS
0.5%
top 33.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse LibzyppOpensuse Libzypp
Timeline
PublishedMar 1
Latest updateMay 13

Description

In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

CVEListV5suse/libzyppunspecified20170803
Debianlibzypp< 17.3.1-1+3
NVDopensuse/libzypp16.15.2

🔴Vulnerability Details

3
GHSA
GHSA-wf75-8v2m-5h2m: In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malici2022-05-13
CVEList
libzypp accepts unsigned packages even when configured to check signatures2018-03-01
OSV
CVE-2017-7436: In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malici2018-03-01

📋Vendor Advisories

1
Debian
CVE-2017-7436: libzypp - In libzypp before 20170803 it was possible to retrieve unsigned packages without...2017
CVE-2017-7436 (HIGH CVSS 8.1) | In libzypp before 20170803 it was p | cvebase.io