Open Build Service

open_build_service

Vendor: Opensuse • 22 CVEs

CVEs (22)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-21949 1Opensuse 1Open Build Service Nov 21, 2024 May 3, 2022 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the...Show more A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.Show less
CVE-2021-36777 1Opensuse 1Open Build Service Nov 21, 2024 Mar 9, 2022 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credential...Show more A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.Show less
CVE-2020-8031 1Opensuse 1Open Build Service Nov 21, 2024 Feb 11, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting conf...Show more A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Open Build Service allows remote attackers to store JS code in markdown that is not properly escaped, impacting confidentiality and integrity. This issue affects: Open Build Service versions prior to 2.10.8.Show less
CVE-2018-12475 1Opensuse 1Open Build Service Nov 21, 2024 Sep 1, 2020 N/A· v4 5.4 MEDIUM· v3 5.5 MEDIUM· v2 A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks a...Show more A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service .Show less
CVE-2020-8021 2Debian Opensuse 2Debian Linux Open Build Service Nov 21, 2024 May 19, 2020 N/A· v4 5.3 MEDIUM· v3 4.3 MEDIUM· v2 a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to...Show more a Improper Access Control vulnerability in of Open Build Service allows remote attackers to read files of an OBS package where the sourceaccess/access is disabled This issue affects: Open Build Service versions prior to 2.10.5.Show less
CVE-2020-8020 2Debian Opensuse 2Debian Linux Open Build Service Nov 21, 2024 May 13, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions...Show more A Improper Neutralization of Input During Web Page Generation vulnerability in open-build-service allows remote attackers to store arbitrary JS code to cause XSS. This issue affects: openSUSE open-build-service versions prior to 7cc32c8e2ff7290698e101d9a80a9dc29a5500fb.Show less
CVE-2019-3685 1Opensuse 1Open Build Service Nov 21, 2024 Nov 5, 2019 N/A· v4 7.7 HIGH· v3 6.8 MEDIUM· v2 Open Build Service before version 0.165.4 diddn't validate TLS certificates for HTTPS connections with the osc client binary
CVE-2018-12479 1Opensuse 1Open Build Service Nov 21, 2024 Oct 9, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320af...Show more A Improper Input Validation vulnerability in Open Build Service allows remote attackers to cause DoS by specifying crafted request IDs. Affected releases are openSUSE Open Build Service: versions prior to 01b015ca2a320afc4fae823465d1e72da8bd60df.Show less
CVE-2018-12478 1Opensuse 1Open Build Service Nov 21, 2024 Oct 9, 2018 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 A Improper Input Validation vulnerability in Open Build Service allows remote attackers to extract files from the system where the service runs. Affected releases are openSUSE Open Build Service: status of is unknown.
CVE-2018-12473 1Opensuse 1Open Build Service Nov 21, 2024 Oct 2, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker...Show more A path traversal traversal vulnerability in obs-service-tar_scm of Open Build Service allows remote attackers to cause access files not in the current build. On the server itself this is prevented by confining the worker via KVM. Affected releases are openSUSE Open Build Service: versions prior to 70d1aa4cc4d7b940180553a63805c22fc62e2cf0.Show less
CVE-2018-12467 1Opensuse 1Open Build Service Nov 21, 2024 Aug 1, 2018 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
CVE-2018-12466 1Opensuse 1Open Build Service Nov 21, 2024 Aug 1, 2018 N/A· v4 6.5 MEDIUM· v3 5.5 MEDIUM· v2 openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
CVE-2011-4183 1Opensuse 1Open Build Service Nov 21, 2024 Jun 13, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16.
CVE-2011-4181 1Opensuse 1Open Build Service Nov 21, 2024 Jun 11, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2....Show more A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3.Show less
CVE-2014-0594 1Opensuse 1Open Build Service Nov 21, 2024 Jun 8, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.
CVE-2014-0593 1Opensuse 1Open Build Service Nov 21, 2024 Jun 8, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user,...Show more The set_version script as shipped with obs-service-set_version is a source validator for the Open Build Service (OBS). In versions prior to 0.5.3-1.1 this script did not properly sanitize the input provided by the user, allowing for code execution on the executing server.Show less
CVE-2013-3703 1Opensuse 1Open Build Service Nov 21, 2024 Jun 8, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
CVE-2018-7689 1Opensuse 1Open Build Service Nov 21, 2024 Jun 7, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.
CVE-2018-7688 1Opensuse 1Open Build Service Nov 21, 2024 Jun 7, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.
CVE-2011-3178 1Opensuse 1Open Build Service Nov 21, 2024 Mar 20, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.

12 Next