CVE-2018-12467

CWE-285 CWE-732 — Incorrect Permission Assignment6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 70.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Openbuildservice Opensuse Open Build Service

Timeline

PublishedAug 1

Latest updateMay 13

Description

Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:HExploitability: 0.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5opensuse/openbuildserviceunspecified — 9.2.4

▶NVDopensuse/open_build_service< 2.9.4

▶Debianopen-build-service< 2.9.4-1

🔴Vulnerability Details

GHSA

GHSA-24pm-f3f4-m533: Authorized users of the openbuildservice before 2↗2022-05-13

▶

CVEList

delete package via link exploit in open buildservice↗2018-08-01

▶

OSV

CVE-2018-12467: Authorized users of the openbuildservice before 2↗2018-08-01

▶

📋Vendor Advisories

Debian

CVE-2018-12467: open-build-service - Authorized users of the openbuildservice before 2.9.4 could delete packages by u...↗2018

▶

💬Community

Bugzilla

CVE-2018-20538 nasm: Use-after-free at asm/preproc.c resulting in a denial of service↗2019-01-07

▶