CVE-2023-22643
MEDIUMlibzypp-plugin-appdata < 1.0.1+git.20180426 - Command Injection via REPO Settings
Title source: llmDescription
An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in libzypp-plugin-appdata of SUSE Linux Enterprise Server for SAP 15-SP3; openSUSE Leap 15.4 allows attackers that can trick users to use specially crafted REPO_ALIAS, REPO_TYPE or REPO_METADATA_PATH settings to execute code as root. This issue affects: SUSE Linux Enterprise Server for SAP 15-SP3 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426. openSUSE Leap 15.4 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426.
References (1)
Core 1
Core References
Exploit, Issue Tracking, Patch, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1206836
Scores
CVSS v3
6.3
EPSS
0.0017
EPSS Percentile
38.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
opensuse/libzypp-plugin-appdata
< 1.0.1\+git.20180426
Published
Feb 07, 2023
Tracked Since
Feb 18, 2026