CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4183 – open build service allows anyone to upload rpms
https://notcve.org/view.php?id=CVE-2011-4183
A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16. Una vulnerabilidad en Open Build Service permite que atacantes remotos suban archivos RPM arbitrarios. Las versiones afectadas son SUSE Open Build Service en versiones anteriores a la 2.1.16. • https://bugzilla.suse.com/show_bug.cgi?id=736243 https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4181 – open build service information leak via unauthorized source access
https://notcve.org/view.php?id=CVE-2011-4181
A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3. Una vulnerabilidad en open build service permite que atacantes remotos obtengan acceso a archivos de origen aunque el acceso a origen esté deshabilitado. Las versiones afectadas son SUSE open build service hasta (e incluyendo) la versión 2.1.15 (para 2.1) y las anteriores a la 2.3. • https://bugzilla.suse.com/show_bug.cgi?id=734003 https://github.com/openSUSE/open-build-service/commit/5281e4bff9df31f1f91e22a0d1e9086b93b23d7e • CWE-20: Improper Input Validation CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0593 – sed command injection
https://notcve.org/view.php?id=CVE-2014-0593
The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user, allowing for code execution on the executing server. El script set_version, tal y como se distribuye con obs-service-set_version es un validador de origen para Open Build Service (OBS). En versiones anteriores a la 0.5.3-1.1, el script no saneó correctamente la entrada proporcionada por el usuario, lo que permite la ejecución de código en el servidor en ejecución. • https://bugzilla.suse.com/show_bug.cgi?id=866966 https://github.com/openSUSE/obs-service-set_version/commit/10d5bddcea29f74a175f7f550924bf6407e52e93 https://lists.opensuse.org/opensuse-buildservice/2014-03/msg00014.html https://www.suse.com/de-de/security/cve/CVE-2014-0593 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-3703 – No write permission check in change_role command
https://notcve.org/view.php?id=CVE-2013-3703
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data. El controlador de Open Build Service API en versiones anteriores a la 2.4.4 carece de una comprobación de permisos de escritura, lo que permite que un atacante autenticado añada o elimine roles de usuario de los metadatos de paquetes o proyectos. • https://bugzilla.suse.com/show_bug.cgi?id=828256 https://github.com/openSUSE/open-build-service/commit/06ad7fdbdd7eb2fef8947d14c4cdd00d8f6387b1 • CWE-275: Permission Issues CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0594 – CSRF protection incorrectly disabled
https://notcve.org/view.php?id=CVE-2014-0594
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent. En Open Build Service (OBS) en versiones anteriores a la 2.4.6, la protección CSRF está incorrectamente deshabilitada en la interfaz web, lo que permite realizar peticiones sin el consentimiento del usuario. • https://bugzilla.suse.com/show_bug.cgi?id=870606 https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8 • CWE-352: Cross-Site Request Forgery (CSRF) •