CVE-2017-9269

CWE-757 CWE-20 — Improper Input Validation5 documents5 sources

Severity

9.8CRITICAL

EPSS

0.5%

top 36.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Libzypp

Timeline

PublishedMar 1

Latest updateMay 13

Description

In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:LExploitability: 2.2 | Impact: 5.5

Affected Packages2 packages

▶CVEListV5suse/libzyppunspecified — 201808

▶Debianlibzypp< 17.3.1-1+3

🔴Vulnerability Details

GHSA

GHSA-fvp9-wx3h-666q: In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downg↗2022-05-13

▶

OSV

CVE-2017-9269: In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downg↗2018-03-01

▶

CVEList

lack of keypinning in libzypp could lead to repository switching↗2018-03-01

▶

📋Vendor Advisories

Debian

CVE-2017-9269: libzypp - In libzypp before August 2018 GPG keys attached to YUM repositories were not cor...↗2017

▶