Lucene search

MicrofocusCVELIST:CVE-2015-0796

HistoryMar 02, 2018 - 8:00 p.m.

CVE-2015-0796 open build service source server symlink exploitation via source patch

2018-03-0220:00:00

CWE-434

microfocus

www.cve.org

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Percentile

12.6%

JSON

In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.

CNA Affected

[
  {
    "product": "open build service",
    "vendor": "SUSE",
    "versions": [
      {
        "lessThan": "2.6.3",
        "status": "affected",
        "version": "2.6",
        "versionType": "custom"
      },
      {
        "lessThan": "2.5.7",
        "status": "affected",
        "version": "2.5",
        "versionType": "custom"
      },
      {
        "lessThan": "2.4.8",
        "status": "affected",
        "version": "2.4",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=941099

github.com/openSUSE/open-build-service/commit/474a3db19498765f0118ba3dbc0b1cc90b0097fc