PT-2018-3447 · Opensuse+1 · Open Build Service+1

Matthias Gerstner

·

Publicado

2018-06-14

·

Atualizado

2024-06-15

·

CVE-2018-12474

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Open Build Service versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106
Description: The issue is related to improper input validation in the obs-service-tar scm of Open Build Service, allowing remote attackers to cause access and extract information outside the current build or create files in attacker-controlled locations. This can potentially lead to unauthorized access to protected information.
Recommendations: For versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106, update to a version that includes the necessary input validation fixes to prevent exploitation. As a temporary workaround, consider restricting access to the obs-service-tar scm service until a patch is available.

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

BDU:2020-01573
CVE-2018-12474
OPENSUSE-SU-2019:0326-1
OPENSUSE-SU-2019:0329-1
OPENSUSE-SU-2019_0326-1
OPENSUSE-SU-2024:11107-1
SUSE-SU-2019:0540-1

Produtos afetados

Open Build Service
Suse