CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12466 – openbuildservice allowed deleting packages via project links
https://notcve.org/view.php?id=CVE-2018-12466
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links. CVE-2018-12466 openSUSE openbuildservice en versiones anteriores a la 9.2.4 permitía que usuarios autenticados eliminasen paquetes en proyectos específicos con enlaces de proyecto. • http://www.securityfocus.com/bid/104958 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2018-12466 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-12467 – delete package via link exploit in open buildservice
https://notcve.org/view.php?id=CVE-2018-12467
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689. Los usuarios autorizados de openbuildservice en versiones anteriores a la 2.9.4 podrían eliminar paquetes empleando una petición maliciosa contra los proyectos que tienen el atributo OBS:InitializeDevelPackage. Este problema es similar a CVE-2018-7689. • https://bugzilla.suse.com/show_bug.cgi?id=1100217 https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 • CWE-285: Improper Authorization CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4183 – open build service allows anyone to upload rpms
https://notcve.org/view.php?id=CVE-2011-4183
A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16. Una vulnerabilidad en Open Build Service permite que atacantes remotos suban archivos RPM arbitrarios. Las versiones afectadas son SUSE Open Build Service en versiones anteriores a la 2.1.16. • https://bugzilla.suse.com/show_bug.cgi?id=736243 https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4181 – open build service information leak via unauthorized source access
https://notcve.org/view.php?id=CVE-2011-4181
A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3. Una vulnerabilidad en open build service permite que atacantes remotos obtengan acceso a archivos de origen aunque el acceso a origen esté deshabilitado. Las versiones afectadas son SUSE open build service hasta (e incluyendo) la versión 2.1.15 (para 2.1) y las anteriores a la 2.3. • https://bugzilla.suse.com/show_bug.cgi?id=734003 https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0593 – sed command injection
https://notcve.org/view.php?id=CVE-2014-0593
The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user, allowing for code execution on the executing server. El script set_version, tal y como se distribuye con obs-service-set_version es un validador de origen para Open Build Service (OBS). En versiones anteriores a la 0.5.3-1.1, el script no saneó correctamente la entrada proporcionada por el usuario, lo que permite la ejecución de código en el servidor en ejecución. • https://bugzilla.suse.com/show_bug.cgi?id=866966 https://github.com/openSUSE/obs-service-set_version/commit/10d5bddcea29f74a175f7f550924bf6407e52e93 https://lists.opensuse.org/opensuse-buildservice/2014-03/msg00014.html https://www.suse.com/de-de/security/cve/CVE-2014-0593 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •