CVE-2013-3703

CWE-862Missing AuthorizationCWE-2753 documents3 sources
Severity
6.5MEDIUM
EPSS
0.3%
top 48.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Opensuse Open Build Service
Timeline
PublishedJun 8
Latest updateMay 13

Description

The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5opensuse/open_build_serviceunspecified2.4.4
NVDopensuse/open_build_service2.4.02.4.4

🔴Vulnerability Details

2
GHSA
GHSA-jw5v-mxm6-2753: The controller of the Open Build Service API prior to version 22022-05-13
CVEList
No write permission check in change_role command2018-06-08
CVE-2013-3703 (MEDIUM CVSS 6.5) | The controller of the Open Build Se | cvebase.io