CVSS: 4.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-18900 – libzypp stores cookies world readable
https://notcve.org/view.php?id=CVE-2019-18900
24 Jan 2020 — : Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS Platform 3.0, SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15 allowed local attackers to read a cookie store used by libzypp, exposing private cookies. This issue affects: SUSE CaaS Platform 3.0 libzypp versions prior to 16.21.2-27.68.1. SUSE Linux Enterprise Server 12 libzypp versions prior to 16.21.2-2.45.1. SUSE Linux Enterprise Server 15 17.19.0-3.34.1. Una vulnerabilidad de Permisos Predeterminados Incorrectos en lib... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00036.html • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7685 – libzypp does not reevaluate malicious rpms once downloaded
https://notcve.org/view.php?id=CVE-2018-7685
31 Aug 2018 — The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download. Los pasos de descarga e instalación desacoplados en libzypp en versiones anteriores a la 17.5.0 podría conducir a que un RPM corrupto se deje en la caché, en la que una llamada posterior no mostraría el aviso de RPM corrupto y p... • http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html • CWE-347: Improper Verification of Cryptographic Signature CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7435 – libzypp accepts unsigned 3rd party repo without warning
https://notcve.org/view.php?id=CVE-2017-7435
01 Mar 2018 — In libzypp before 20170803 it was possible to add unsigned YUM repositories without warning to the user that could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system. En libzypp, en versiones anteriores a la 20170803, fue posible añadir repositorios YUM no firmados sin avisar al usuario. Esto podía resultar en que un atacante Man-in-the-Middle (MitM) o servidores maliciosos inyectasen paquetes RPM maliciosos en el sistema de un usuario. • https://bugzilla.suse.com/show_bug.cgi?id=1009127 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-7436 – libzypp accepts unsigned packages even when configured to check signatures
https://notcve.org/view.php?id=CVE-2017-7436
01 Mar 2018 — In libzypp before 20170803 it was possible to retrieve unsigned packages without a warning to the user which could lead to man in the middle or malicious servers to inject malicious RPM packages into a users system. En libzypp, en versiones anteriores a la 20170803, fue posible recuperar paquetes no firmados sin avisar al usuario. Esto podía resultar en que un atacante Man-in-the-Middle (MitM) o servidores maliciosos inyectasen paquetes RPM maliciosos en el sistema de un usuario. • https://bugzilla.suse.com/show_bug.cgi?id=1038984 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2013-3704
https://notcve.org/view.php?id=CVE-2013-3704
28 Oct 2013 — The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key. La funcionalidad de importación y manejo de claves RPM GPG en libzypp 12.15.0 y anteriores reporta una huella de clave diferente de la utilizada para firmar un repositorio cuando múltiples "blobs" de clave... • http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html • CWE-310: Cryptographic Issues •