CVE-2017-7435: libzypp accepts unsigned 3rd party repo without warning
First published: Thu Mar 01 2018(Updated: )
In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.
Credit: meissner@suse.de
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Opensuse Libzypp | <=16.15.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2017-7435?
CVE-2017-7435 is a vulnerability in libzypp that allowed the addition of unsigned YUM repositories without warning, potentially allowing man-in-the-middle attacks or injection of malicious RPM packages.
How does CVE-2017-7435 affect Opensuse Libzypp?
CVE-2017-7435 affects Opensuse Libzypp versions up to and including 16.15.2.
What is the severity of CVE-2017-7435?
CVE-2017-7435 has a severity rating of 8.1 (Critical).
How can I fix CVE-2017-7435?
To fix CVE-2017-7435, update libzypp to a version after 20170803.
Where can I find more information about CVE-2017-7435?
More information about CVE-2017-7435 can be found at the following references: [1] [2] [3]
- collector/nvd-index
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/references
- agent/title
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/opensuse
- canonical/opensuse libzypp
- version/opensuse libzypp/16.15.2