Описание
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
Уязвимые конфигурации
Конфигурация 1Версия до 12.15.0 (включая)
Одно из
cpe:2.3:a:novell:libzypp:*:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:11.2:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:11.3:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:11.4:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:12.1:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:12.2:*:*:*:*:*:*:*
cpe:2.3:a:novell:libzypp:12.3:*:*:*:*:*:*:*
EPSS
Процентиль: 70%
0.00641
Низкий
4.3 Medium
CVSS2
Дефекты
CWE-310
Связанные уязвимости
debian
больше 12 лет назад
The RPM GPG key import and handling feature in libzypp 12.15.0 and ear ...
github
больше 3 лет назад
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
EPSS
Процентиль: 70%
0.00641
Низкий
4.3 Medium
CVSS2
Дефекты
CWE-310