CVE-2017-9268

CWE-285 CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 67.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Suse Open Build Service Opensuse Open Build Service

Timeline

PublishedMar 1

Latest updateMay 13

Description

In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:LExploitability: 1.8 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5suse/open_build_serviceunspecified — 20170722 git

▶Debianopen-build-service< 2.9.4-1

▶NVDopensuse/open_build_service2.8.2

🔴Vulnerability Details

GHSA

GHSA-2mj3-95g6-565f: In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users↗2022-05-13

▶

OSV

CVE-2017-9268: In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users↗2018-03-01

▶

CVEList

open-build-service retrigger / wipebinaries hitting the wrong project bypassing access permissions↗2018-03-01

▶

📋Vendor Advisories

Debian

CVE-2017-9268: open-build-service - In the open build service before 201707022 the wipetrigger and rebuild actions c...↗2017

▶