CVE-2018-7685— libzypp does not reevaluate malicious rpms once downloaded

EPSS 0.07% · P22 Updated Feb 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2018-7685

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

libzypp does not reevaluate malicious rpms once downloaded

Source: NVD (National Vulnerability Database)

Vulnerability Description

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

不恰当实现的标准安全检查

Source: NVD (National Vulnerability Database)

Vulnerability Title

libzypp 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

libzypp（又名ZYPP）是美国Novell公司资助的一套开源的可管理引擎、驱动（例如：Linux应用程序YaST、Zypper）的工具。 libzypp 17.5.0之前版本中存在安全漏洞，该漏洞源于程序只会在下载过程中弹出恶意警告。攻击者可借助解耦下载和安装步骤利用该漏洞将受损的RPM存储在缓存中，并且使其进行安装。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
SUSE	libzypp	unspecified ~ 17.5.0	-

II. Public POCs for CVE-2018-7685

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2018-7685

请登录查看更多情报信息。

https://bugzilla.suse.com/show_bug.cgi?id=1091624x_refsource_CONFIRM
https://www.suse.com/de-de/security/cve/CVE-2018-7685/x_refsource_MISC
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.htmlx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2018-7685

IV. Related Vulnerabilities

Same product: libzypp

Same vendor: SUSE

Same weakness: CWE-358

V. Comments for CVE-2018-7685

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2018-7685— libzypp does not reevaluate malicious rpms once downloaded

I. Basic Information for CVE-2018-7685

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2018-7685

III. Intelligence Information for CVE-2018-7685

IV. Related Vulnerabilities

V. Comments for CVE-2018-7685

Leave a comment