CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-3685 – Missing TLS certificate validation for HTTPS connections in osc
https://notcve.org/view.php?id=CVE-2019-3685
Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary Open Build Service anterior a la versión 0.165.4, no validó los certificados TLS para las conexiones HTTPS con el binario del cliente osc • https://bugzilla.suse.com/show_bug.cgi?id=1142518 • CWE-295: Improper Certificate Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12479 – Request controller allows to create requests with arbitrary request IDs
https://notcve.org/view.php?id=CVE-2018-12479
A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df. Una vulnerabilidad de validación de entradas incorrecta en Open Build Service permite que los atacantes remotos provoquen una denegación de servicio (DoS) especificando ID de petición manipulados. Las versiones afectadas son openSUSE Open Build Service en versiones anteriores a la 01b015ca2a320afc4fae823465d1e72da8bd60df. • https://bugzilla.suse.com/show_bug.cgi?id=1108435 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12473 – path traversal in obs-service-tar_scm
https://notcve.org/view.php?id=CVE-2018-12473
A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker via KVM. Affected releases are openSUSE Open Build Service: versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0. Una vulnerabilidad de salto de directorio en obs-service-tar_scm en Open Build Service permite que los atacantes remotos accedan a archivos que no están en la build actual. En el propio servidor, esto se evita confinando el trabajador mediante KVM. • https://bugzilla.suse.com/show_bug.cgi?id=1105361 https://github.com/openSUSE/obs-service-tar_scm/pull/248 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12466 – openbuildservice allowed deleting packages via project links
https://notcve.org/view.php?id=CVE-2018-12466
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links. CVE-2018-12466 openSUSE openbuildservice en versiones anteriores a la 9.2.4 permitía que usuarios autenticados eliminasen paquetes en proyectos específicos con enlaces de proyecto. • http://www.securityfocus.com/bid/104958 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2018-12466 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12467 – delete package via link exploit in open buildservice
https://notcve.org/view.php?id=CVE-2018-12467
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. Los usuarios autorizados de openbuildservice en versiones anteriores a la 2.9.4 podrían eliminar paquetes empleando una petición maliciosa contra los proyectos que tienen el atributo OBS:InitializeDevelPackage. Este problema es similar a CVE-2018-7689. • https://bugzilla.suse.com/show_bug.cgi?id=1100217 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •