CVE-2020-8020 – Persistent XSS in markdown parser used by obs-server
https://notcve.org/view.php?id=CVE-2020-8020
A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. Una vulnerabilidad de Neutralización Inapropiada de Entrada Durante la Generación de una Página Web en open-build-service, permite a atacantes remotos almacenar código JS arbitrario para causar un ataque de tipo XSS. Este problema afecta: openSUSE open-build-service versiones anteriores a 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. • https://bugzilla.suse.com/show_bug.cgi?id=1171439 https://lists.debian.org/debian-lts-announce/2021/02/msg00006.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2019-3685 – Missing TLS certificate validation for HTTPS connections in osc
https://notcve.org/view.php?id=CVE-2019-3685
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary Open Build Service anterior a la versión 0.165.4, no validó los certificados TLS para las conexiones HTTPS con el binario del cliente osc • https://bugzilla.suse.com/show_bug.cgi?id=1142518 • CWE-295: Improper Certificate Validation •
CVE-2018-12479 – Request controller allows to create requests with arbitrary request IDs
https://notcve.org/view.php?id=CVE-2018-12479
A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df. Una vulnerabilidad de validación de entradas incorrecta en Open Build Service permite que los atacantes remotos provoquen una denegación de servicio (DoS) especificando ID de petición manipulados. Las versiones afectadas son openSUSE Open Build Service en versiones anteriores a la 01b015ca2a320afc4fae823465d1e72da8bd60df. • https://bugzilla.suse.com/show_bug.cgi?id=1108435 • CWE-20: Improper Input Validation •
CVE-2018-12478 – obs-service-replace_using_package_version allows to specify arbitrary input files
https://notcve.org/view.php?id=CVE-2018-12478
A Improper Input Validation vulnerability in Open Build Service allows remote attackers to extract files from the system where the service runs. Affected releases are openSUSE Open Build Service: status of is unknown. Una vulnerabilidad de validación de entradas incorrecta en Open Build Service permite que los atacantes remotos extraigan archivos del sistema en el que se ejecuta el servicio. Las versiones afectadas son openSUSE Open Build Service: se desconoce el estado. • https://bugzilla.suse.com/show_bug.cgi?id=1108280 • CWE-20: Improper Input Validation •
CVE-2018-12473 – path traversal in obs-service-tar_scm
https://notcve.org/view.php?id=CVE-2018-12473
A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker via KVM. Affected releases are openSUSE Open Build Service: versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0. Una vulnerabilidad de salto de directorio en obs-service-tar_scm en Open Build Service permite que los atacantes remotos accedan a archivos que no están en la build actual. En el propio servidor, esto se evita confinando el trabajador mediante KVM. • https://bugzilla.suse.com/show_bug.cgi?id=1105361 https://github.com/openSUSE/obs-service-tar_scm/pull/248 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •