CVE-2017-5188 — Link Following in Open Build Service

CWE-59 — Link Following CWE-200 — Sensitive Information Exposure5 documents5 sources

Severity

7.5HIGHNVD

CNA5.0

EPSS

0.2%

top 63.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Open Build Service

Timeline

PublishedMar 1

Latest updateMay 13

Description

The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5opensuse/open_build_serviceunspecified — 20170320

▶NVDopensuse/open_build_service2.7.3

🔴Vulnerability Details

GHSA

GHSA-m6v2-2pmh-qf44: The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory↗2022-05-13

▶

CVEList

OBS worker VM escape via relative symbolic links↗2018-03-01

▶

OSV

CVE-2017-5188: The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory↗2018-03-01

▶

📋Vendor Advisories

Debian

CVE-2017-5188: open-build-service - The bs_worker code in open build service before 20170320 followed relative symli...↗2017

▶