CVE-2018-7685
libzypp does not reevaluate malicious rpms once downloaded
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.
Los pasos de descarga e instalación desacoplados en libzypp en versiones anteriores a la 17.5.0 podría conducir a que un RPM corrupto se deje en la caché, en la que una llamada posterior no mostraría el aviso de RPM corrupto y permite la instalación. Este problema está provocado por avisos maliciosos que solo se muestran durante la descarga.
An update that solves two vulnerabilities and has 26 fixes is now available. This update for libzypp, zypper, libsolv provides the following fixes.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-03-05 CVE Reserved
- 2018-08-31 CVE Published
- 2024-09-17 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-347: Improper Verification of Cryptographic Signature
- CWE-358: Improperly Implemented Security Check for Standard
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html | X_refsource_misc | |
| https://bugzilla.suse.com/show_bug.cgi?id=1091624 | X_refsource_confirm | |
| https://www.suse.com/de-de/security/cve/CVE-2018-7685 | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|