CVE-2017-5188

Published: Mar 1, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.

Affected (1)

Products: Opensuse: Open Build Service

Opensuse

1 product

Open Build Service

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Opensuse Open Build Service	Up to 2.7.3

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-59

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References (6)

https://bugzilla.suse.com/show_bug.cgi?id=1029824

Source: security@opentext.com

https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d

Source: security@opentext.com

https://www.suse.com/de-de/security/cve/CVE-2017-5188/

Source: security@opentext.com

https://bugzilla.suse.com/show_bug.cgi?id=1029824

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.suse.com/de-de/security/cve/CVE-2017-5188/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.