CVE-2013-3704
libzypp < 12.15.0 - GPG Key Fingerprint Spoofing via Multiple Key Blobs
Title source: llmDescription
The RPM GPG key import and handling feature in libzypp 12.15.0 and earlier reports a different key fingerprint than the one used to sign a repository when multiple key blobs are used, which might allow remote attackers to trick users into believing that the repository was signed by a more-trustworthy key.
References (2)
Core 2
Core References
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-09/msg00022.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-09/msg00023.html
Scores
EPSS
0.0021
EPSS Percentile
43.4%
Details
CWE
CWE-310
Status
published
Products (7)
novell/libzypp
11.2
novell/libzypp
11.3
novell/libzypp
11.4
novell/libzypp
12.1
novell/libzypp
12.2
novell/libzypp
12.3
novell/libzypp
< 12.15.0
Published
Oct 28, 2013
Tracked Since
Feb 18, 2026