CVE-2018-7685

CWE-358CWE-3477 documents6 sources
Severity
7.8HIGH
EPSS
0.1%
top 77.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Suse LibzyppOpensuse Libzypp
Timeline
PublishedAug 31
Latest updateMay 13

Description

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5suse/libzyppunspecified17.5.0
NVDopensuse/libzypp< 17.5.0
Debianlibzypp< 17.6.1-1+3

🔴Vulnerability Details

3
GHSA
GHSA-mrf9-ghhp-cjff: The decoupled download and installation steps in libzypp before 172022-05-13
OSV
CVE-2018-7685: The decoupled download and installation steps in libzypp before 172018-08-31
CVEList
libzypp does not reevaluate malicious rpms once downloaded2018-08-31

📋Vendor Advisories

1
Debian
CVE-2018-7685: libzypp - The decoupled download and installation steps in libzypp before 17.5.0 could lea...2018

💬Community

2
Bugzilla
CVE-2018-7685 libzypp: decoupled download and installation allows corrupted RPM install2018-08-31
Bugzilla
CVE-2018-7685 libzypp: decoupled download and installation allows corrupted RPM install [fedora-all]2018-08-31
CVE-2018-7685 (HIGH CVSS 7.8) | The decoupled download and installa | cvebase.io