CVE-2018-7685

Published: Aug 31, 2018Modified: Nov 21, 2024

7.8

Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.

Affected (1)

Products: Opensuse: Libzypp

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Libzypp	Before 17.5.0

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Improperly Implemented Security Check for Standard

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

References (6)

http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html

Source: security@opentext.com

https://bugzilla.suse.com/show_bug.cgi?id=1091624

Source: security@opentext.com

https://www.suse.com/de-de/security/cve/CVE-2018-7685/

Source: security@opentext.com

http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.suse.com/show_bug.cgi?id=1091624

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.suse.com/de-de/security/cve/CVE-2018-7685/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.