CVE-2018-12476

Name of the Vulnerable Software and Affected Versions: SUSE Linux Enterprise Server 15 obs-service-tar scm versions prior to 0.9.2.1537788075.fefaa74 openSUSE Factory obs-service-tar scm versions prior to 0.9.2.1537788075.fefaa74

Description: The issue is related to a Relative Path Traversal vulnerability in the obs-service-tar scm service, which can be exploited by remote attackers with control over a repository to overwrite files on the local user's machine. This can occur if a malicious service is executed. The vulnerability is associated with incorrect restriction of the directory path name, potentially allowing an attacker to gain unauthorized access to protected information or execute arbitrary code.

Recommendations: For SUSE Linux Enterprise Server 15 obs-service-tar scm versions prior to 0.9.2.1537788075.fefaa74, update to version 0.9.2.1537788075.fefaa74 or later. For openSUSE Factory obs-service-tar scm versions prior to 0.9.2.1537788075.fefaa74, update to version 0.9.2.1537788075.fefaa74 or later. As a temporary workaround, consider restricting access to the obs-service-tar scm service until a patch is applied.