CVE-2019-3681
osc: stores downloaded (supposed) RPM in network-controlled filesystem paths
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .
Una vulnerabilidad de Control Externo de Nombre de Archivo o Ruta en osc de SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory, permitiĆ³ a atacantes remotos que pueden cambiar los paquetes descargados para sobrescribir archivos arbitrarios. Este problema afecta: osc de SUSE Linux Enterprise Module for Development Tools 15 versiones anteriores a 0.169.1-3.20.1. osc de SUSE Linux Enterprise Software Development Kit 12-SP5 versiones anteriores a 0.162.1-15.9.1. osc de SUSE Linux Enterprise Software Development Kit 12-SP4 versiones anteriores a 0.162.1-15.9.1. osc de openSUSE Leap 15.1 versiones anteriores a 0.169.1-lp151.2.15.1. osc de openSUSE Factory versiones anteriores a 0.169.0
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-01-03 CVE Reserved
- 2020-06-29 CVE Published
- 2024-07-06 EPSS Updated
- 2024-09-17 CVE Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-73: External Control of File Name or Path
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.suse.com/show_bug.cgi?id=1122675 | 2024-09-17 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Opensuse Search vendor "Opensuse" | Osc Search vendor "Opensuse" for product "Osc" | < 0.169.1-3.20.1 Search vendor "Opensuse" for product "Osc" and version " < 0.169.1-3.20.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server" | 15 Search vendor "Suse" for product "Linux Enterprise Server" and version "15" | - |
Safe
|
Opensuse Search vendor "Opensuse" | Osc Search vendor "Opensuse" for product "Osc" | < 0.162.1-15.9.1 Search vendor "Opensuse" for product "Osc" and version " < 0.162.1-15.9.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit" | 12 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12" | sp5 |
Safe
|
Opensuse Search vendor "Opensuse" | Osc Search vendor "Opensuse" for product "Osc" | < 0.162.1-15.9.1 Search vendor "Opensuse" for product "Osc" and version " < 0.162.1-15.9.1" | - |
Affected
| in | Suse Search vendor "Suse" | Linux Enterprise Software Development Kit Search vendor "Suse" for product "Linux Enterprise Software Development Kit" | 12 Search vendor "Suse" for product "Linux Enterprise Software Development Kit" and version "12" | sp4 |
Safe
|
Opensuse Search vendor "Opensuse" | Osc Search vendor "Opensuse" for product "Osc" | < 0.169.1-lp151.2.15.1 Search vendor "Opensuse" for product "Osc" and version " < 0.169.1-lp151.2.15.1" | - |
Affected
| in | Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Safe
|
Opensuse Search vendor "Opensuse" | Osc Search vendor "Opensuse" for product "Osc" | < 0.169.0 Search vendor "Opensuse" for product "Osc" and version " < 0.169.0" | - |
Affected
| in | Opensuse Search vendor "Opensuse" | Factory Search vendor "Opensuse" for product "Factory" | - | - |
Safe
|