CVE-2017-7436

Description

In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

SUSE / libzyppunspecified – 20170803

References

MAILING_LISThttps://lists.opensuse.org/opensuse-security-announce/2017-08/msg00002.html
MISChttps://bugzilla.suse.com/show_bug.cgi?id=1038984
MISChttps://www.suse.com/de-de/security/cve/CVE-2017-7436/