22 matches found
CVE-2019-3685
Open Build Service osc client did not validate TLS certificates for HTTPS connections before version 0.165.4. Affected components: osc binary used by Open Build Service. Impact: potential trust/security risk due to improper TLS validation (CVSS data in sources indicates high severity). Remediatio...
CVE-2018-12473
The CVE-2018-12473 path-traversal exists in obs-service-tar_scm of Open Build Service. It could allow access to files outside the current build. Affected releases are openSUSE Open Build Service versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0. The issue has been addressed in security u...
CVE-2021-36777
CVE-2021-36777 affects openSUSE Build service login-proxy-scripts (pre-dc000cdfe9b9b715fb92195b1a57559362f689ef). The issue is a vulnerability in the login-proxy that relies on untrusted inputs, allowing an attacker to present a user with the expected login form and then have clear-text credentia...
CVE-2022-21949
CVE-2022-21949 describes an XXE vulnerability in SUSE Open Build Service (OBS) prior to version 2.10.13. The issue allows remote attackers to reference external entities during certain operations, enabling information disclosure and potential escalation to Admin privileges on OBS. Affected produc...
CVE-2018-7689
The vulnerability CVE-2018-7689 affects openSUSE Open Build Service prior to version 2.9.3. The root cause is missing permission checks in the InitializeDevelPackage function, enabling authenticated users to modify packages for which they do not have write access. Impact is authenticated access t...
CVE-2017-9268
Open Build Service vulnerability CVE-2017-9268: In OSS before 201707022, the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to perform operations on projects they should not access, leading to denial of service (resource consumption). Affec...
CVE-2020-8021
CVE-2020-8021 concerns Open Build Service (OBS). An improper access control vulnerability allows remote attackers to read files of an OBS package where sourceaccess/access is disabled. Affected OBS versions are prior to 2.10.5. Per available documents, the remediation is to upgrade to a fixed ver...
CVE-2020-8020
CVE-2020-8020 concerns an improper neutralization of input during web page generation in open-build-service, enabling remote attackers to store arbitrary JavaScript and trigger XSS. Affected: openSUSE/open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb. Severity is mediu...
CVE-2018-12475
The CVE-2018-12475 entry concerns an Externally Controlled Reference to a Resource in Another Sphere in openSUSE Open Build Service’s obs-service-download_files component. The vulnerability allows authenticated users to generate HTTP requests targeting internal networks, potentially leading to da...
CVE-2018-7688
CVE-2018-7688 describes a missing permission check in the review handling of openSUSE Open Build Service prior to version 2.9.3, which could allow any authenticated user to modify sources in projects where they lack write permissions. The vulnerability affects the Open Build Service workflow and ...
CVE-2017-5188
The CVE-2017-5188 vulnerability affects openSUSE/open-build-service: the bs_worker code, prior to version 20170320, followed relative symlinks to read files outside the package source directory during a build, enabling leakage of private information. Impact in the sources states potential disclos...
CVE-2011-4181
The CVE-2011-4181 entry describes a vulnerability in the SUSE Open Build Service (OBS) where remote attackers can access source files even when source access is disabled. Affected releases include OBS up to version 2.1.15 (for 2.1) and all versions prior to 2.3. Details on root cause are not prov...
CVE-2020-8031
CVE-2020-8031 affects Open Build Service, with versions prior to 2.10.8 vulnerable to a Cross-site Scripting issue where remote attackers can store JavaScript in markdown that is not properly escaped, impacting confidentiality and integrity. The vulnerability is tied to improper input neutralizat...
CVE-2018-12466
openSUSE openbuildservice is affected (before 9.2.4). The issue allows authenticated users to delete packages on specific projects via project links. Root cause and patch details are not provided in the documents; no exploitation details are listed. No remediation information is stated.
CVE-2018-12478
CVE-2018-12478 affects the Open Build Service (OBS) used by openSUSE. The vulnerability is described as an improper input validation flaw that could allow remote attackers to extract files from the system hosting OBS. Affected releases are listed as openSUSE Open Build Service with status unknown...
CVE-2011-3178
The CVE-2011-3178 entry affects the web UI of openbuildservice prior to version 2.3.0. A code injection vulnerability in the project rebuildtimes statistics could be exploited by authorized attackers to execute shellcode. Impact is described as able to run arbitrary code with the attacker’s privi...
CVE-2018-12467
Technical details about CVE-2018-12467 are not provided in the connected documents. Current records reference the vulnerability but do not disclose affected products, root cause, impact, or fixes. Monitor for updates.
CVE-2018-12479
CVE-2018-12479 pertains to the Open Build Service (OBS) used in openSUSE. The vulnerability is an Improper Input Validation flaw that enables remote attackers to cause a DoS by specifying crafted request IDs. The affected releases are the Open Build Service versions prior to 01b015ca2a320afc4fae8...
CVE-2013-3703
CVE-2013-3703 concerns the Open Build Service API controller prior to version 2.4.4. The root cause is a missing write-permission check, which allows an authenticated attacker to add or remove user roles from packages and/or project metadata. The vulnerability applies to the Open Build Service AP...
CVE-2011-4183
CVE-2011-4183 concerns openSUSE/open Build Service (OBS). The vulnerability allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE Open Build Service prior to 2.1.16. Root cause details in the sources indicate a file-upload mechanism flaw that permits unauthorized RPM u...
CVE-2014-0593
The CVE concerns obs-service-set_version, a script used as a source validator in the Open Build Service (OBS). In versions prior to 0.5.3-1.1 the set_version script did not properly sanitize user input, allowing code execution on the executing server. Public references in the connected documents ...
CVE-2014-0594
The CVE-2014-0594 entry corresponds to the Open Build Service (OBS) before version 2.4.6, where CSRF protection was incorrectly disabled in the web interface. This allows an attacker to issue requests without user consent, with impact across confidentiality, integrity, and availability as reflect...