Vulnerability CVE-2017-9271

Vulnerability Name:

CVE-2017-9271 (CCN-139854)

Assigned:

2017-07-26

Published:

2017-07-26

Updated:

2021-02-25

Summary:

The commandline package update tool zypper writes HTTP proxy credentials into its logfile, allowing local attackers to gain access to proxies used.

CVSS v3 Severity:

3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
3.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-532

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2017-9271

Source: CCN
Type: Bugzilla Bug 1050625
VUL-1: CVE-2017-9271: zypper: proxy credentials written to log files

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1050625

Source: CCN
Type: Zypper Web site
Portal:Zypper

Source: XF
Type: UNKNOWN
suse-cve20179271-sec-bypass(139854)

Source: FEDORA
Type: Mailing List, Patch, Third Party Advisory
FEDORA-2021-ebc1c35c5d

Source: CONFIRM
Type: Vendor Advisory
https://www.suse.com/de-de/security/cve/CVE-2017-9271/

Vulnerable Configuration:

Configuration 1:

cpe:/a:opensuse:zypper:-:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7711	P	libzypp-17.31.8-150400.3.14.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3371	P	strongswan-5.1.3-26.5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3118	P	kernel-default-4.12.14-120.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94748	P	libzypp-17.30.0-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95184	P	evolution-3.42.4-150400.1.10 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:238	P	libzypp-17.25.8-3.33.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:1167	P	Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (Important)	2022-05-16
oval:org.opensuse.security:def:101897	P	Security update for openssl-1_0_0 (Important)	2022-03-15
oval:org.opensuse.security:def:99226	P	(Important)	2022-03-15
oval:org.opensuse.security:def:94483	P	(Moderate)	2022-03-14
oval:org.opensuse.security:def:112945	P	libzypp-17.28.4-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99424	P	(Moderate)	2021-10-20
oval:org.opensuse.security:def:106399	P	libzypp-17.28.4-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101196	P	libimobiledevice-devel-1.2.0+git20180427.26373b3-1.40 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62256	P	libzypp-17.25.8-3.33.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71997	P	libzypp-17.25.8-3.33.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:92474	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:10424	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:99623	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:93184	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:70564	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:9674	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:99031	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:92673	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:69814	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:8920	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:99822	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:93337	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:92081	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:9873	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:97348	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:92872	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:70013	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:9115	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:100134	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:92276	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:93031	P	Security update for libzypp, zypper (Moderate)	2021-03-25
oval:org.opensuse.security:def:9469	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:69609	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:8719	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:97283	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:10223	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:70363	P	Security update for libsolv, libzypp, yast2-installation, zypper (Moderate)	2021-03-11
oval:org.opensuse.security:def:111333	P	Security update for libzypp, zypper (Moderate)	2021-01-14
oval:org.opensuse.security:def:75793	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:108563	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:96820	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:100596	P	(Moderate)	2021-01-13
oval:org.opensuse.security:def:117377	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:64460	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:99931	P	(Moderate)	2021-01-13
oval:org.opensuse.security:def:73582	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:107862	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:66725	P	Security update for libzypp, zypper (Moderate)	2021-01-13
oval:org.opensuse.security:def:100266	P	(Moderate)	2021-01-13
oval:org.opensuse.security:def:5636	P	Security update for libzypp, zypper (Moderate)	2021-01-13

BACK