Libzypp
CVE-2018-7685
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.
AnalysisAI
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-358. The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download. Affected products include: Opensuse Libzypp. Version information: before 17.5.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant craf
Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content i
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today