Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-delivered metadata (AV:N) with no attacker auth (PR:N) but mandatory victim repo refresh (UI:R); root-privileged file overwrite yields privesc, so I:H/A:H and C:H via resulting code execution.
Primary rating from Vendor (suse).
CVSS VectorVendor: suse
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A relative path traversal bug problem when processing repository metadata in libzypp before 17.38.10 could be used by remote attackers supplying repositories to overwrite files on the system, leading to denial of service or privilege escalation.
AnalysisAI
Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to add and refresh/use an attacker-controlled (or MITM-intercepted) zypper repository, and the malicious repomd.xml or SUSE-tags content file must contain a location href, descrdir/datadir, or HASH entry using relative '../' path components that resolve outside the repository root. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, base 8.8) reflects network delivery with low complexity, no attacker privileges, but mandatory user interaction - the victim must configure and refresh the malicious repository. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts (or man-in-the-middles) a repository and publishes a repomd.xml or content file containing a <location href="../../etc/..."> style entry. When a victim adds that repository and runs a refresh/install as root, libzypp resolves the traversal path and overwrites a sensitive system file, enabling denial of service or planting attacker-controlled content that yields root-level privilege escalation. … |
| Remediation | Vendor-released patch: 17.38.10 - upgrade libzypp to 17.38.10 or later via your SUSE/openSUSE update channel as the primary fix (commit f09feda7fca03c941218aab0bb161cc82b185b6b adds path sanitization that discards metadata entries resolving outside the repo root). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running libzypp versions earlier than 17.38.10 and catalog which systems have configured third-party repositories. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the c
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content i
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40062
GHSA-4h5m-3w75-qcq5