CVE-2013-3704

The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
novelllibzypp
𝑥
≤ 12.15.0
novelllibzypp
11.2
novelllibzypp
11.3
novelllibzypp
11.4
novelllibzypp
12.1
novelllibzypp
12.2
novelllibzypp
12.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libzypp
bullseye
17.25.7-1
fixed
bookworm
17.25.7-2.4
fixed
sid
17.35.12-1
fixed
trixie
17.35.12-1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00023.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00023.html