Libzypp
Monthly
Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.
Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Arbitrary root file write in libzypp before 17.38.12 lets an attacker who can get a victim to add or refresh a malicious software repository overwrite or inject files anywhere on the system as root, because the "keyhint" value in repomd.xml is parsed without rejecting path separators (CWE-23 relative path traversal). Because libzypp performs repository operations with root privileges on SUSE/openSUSE systems, this escalates directly to full host compromise. Publicly available exploit code exists (SSVC=poc); it is not listed in CISA KEV, and EPSS is low (0.49%, 38th percentile), consistent with a targeted rather than mass-exploited flaw.
Arbitrary file overwrite in libzypp before 17.38.10 lets a remote attacker who controls a software repository plant crafted repository metadata (repomd/SUSE content files) with '../' location paths that escape the repo root, allowing files anywhere on the system to be overwritten when a victim adds and refreshes that repository. Because zypper-based refresh operations typically run as root, this can escalate to privilege escalation or denial of service. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Path traversal in libzypp's .repo file processing enables low-privileged network-accessible attackers to write content into arbitrary directories on the host filesystem beyond the intended zypp cache boundary. Affected versions span the 17.x series before 17.38.13 and the 16.x series before 16.22.19, covering systems running SUSE Linux Enterprise and openSUSE derivatives that use zypper as their package manager. The primary real-world impact is disk exhaustion across unexpected filesystem paths, causing a denial of service; no confidentiality impact is attributed in the CVSS assessment. No public exploit or CISA KEV listing has been identified at time of analysis.
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.