CVE-2017-9269
7.7
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Summary
In libzypp before August 2018 GPG keys attached to YUM repositories were not correctly pinned, allowing malicious repository mirrors to silently downgrade to unsigned repositories with potential malicious content.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SUSE | libzypp | unspecified < 201808 | affected |
Weaknesses
- Malicious mirrors could downgrade repositories from trusted signed repositories to unsigned malicious repositories.
- CWE-757: CWE-757
ADP Enrichment
CVE Program Container
Additional References
- https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.html
- https://bugzilla.suse.com/show_bug.cgi?id=1045735
- https://www.suse.com/de-de/security/cve/CVE-2017-9269/
References
- https://lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.html
- https://bugzilla.suse.com/show_bug.cgi?id=1045735
- https://www.suse.com/de-de/security/cve/CVE-2017-9269/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.