CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12479 – Request controller allows to create requests with arbitrary request IDs
https://notcve.org/view.php?id=CVE-2018-12479
A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df. Una vulnerabilidad de validación de entradas incorrecta en Open Build Service permite que los atacantes remotos provoquen una denegación de servicio (DoS) especificando ID de petición manipulados. Las versiones afectadas son openSUSE Open Build Service en versiones anteriores a la 01b015ca2a320afc4fae823465d1e72da8bd60df. • https://bugzilla.suse.com/show_bug.cgi?id=1108435 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12466 – openbuildservice allowed deleting packages via project links
https://notcve.org/view.php?id=CVE-2018-12466
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links. CVE-2018-12466 openSUSE openbuildservice en versiones anteriores a la 9.2.4 permitía que usuarios autenticados eliminasen paquetes en proyectos específicos con enlaces de proyecto. • http://www.securityfocus.com/bid/104958 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2018-12466 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12467 – delete package via link exploit in open buildservice
https://notcve.org/view.php?id=CVE-2018-12467
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. Los usuarios autorizados de openbuildservice en versiones anteriores a la 2.9.4 podrían eliminar paquetes empleando una petición maliciosa contra los proyectos que tienen el atributo OBS:InitializeDevelPackage. Este problema es similar a CVE-2018-7689. • https://bugzilla.suse.com/show_bug.cgi?id=1100217 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-3703 – No write permission check in change_role command
https://notcve.org/view.php?id=CVE-2013-3703
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data. El controlador de Open Build Service API en versiones anteriores a la 2.4.4 carece de una comprobación de permisos de escritura, lo que permite que un atacante autenticado añada o elimine roles de usuario de los metadatos de paquetes o proyectos. • https://bugzilla.suse.com/show_bug.cgi?id=828256 https://github.com/openSUSE/open-build-service/commit/06ad7fdbdd7eb2fef8947d14c4cdd00d8f6387b1 • CWE-275: Permission Issues CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0594 – CSRF protection incorrectly disabled
https://notcve.org/view.php?id=CVE-2014-0594
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent. En Open Build Service (OBS) en versiones anteriores a la 2.4.6, la protección CSRF está incorrectamente deshabilitada en la interfaz web, lo que permite realizar peticiones sin el consentimiento del usuario. • https://bugzilla.suse.com/show_bug.cgi?id=870606 https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8 • CWE-352: Cross-Site Request Forgery (CSRF) •