CVE-2013-3704

EUVD-2013-3637
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
Affected Products (NVD)
VendorProductVersion
novelllibzypp
𝑥
≤ 12.15.0
novelllibzypp
11.2
novelllibzypp
11.3
novelllibzypp
11.4
novelllibzypp
12.1
novelllibzypp
12.2
novelllibzypp
12.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libzypp
bookworm
17.25.7-2.4
fixed
bullseye
17.25.7-1
fixed
sid
17.35.12-1
fixed
trixie
17.35.12-1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00023.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html
http://lists.opensuse.org/opensuse-updates/2013-09/msg00023.html