CVE-2018-12474

CWE-20 — Improper Input Validation3 documents3 sources

Severity

9.8CRITICAL

EPSS

0.4%

top 40.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Open Build Service Opensuse TAR SCM

Timeline

PublishedOct 9

Latest updateMay 13

Description

Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the current build or cause the creation of file in attacker controlled locations. Affected releases are openSUSE Open Build Service: versions prior to 51a17c553b6ae2598820b7a90fd0c11502a49106.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5opensuse/open_build_serviceunspecified — 51a17c553b6ae2598820b7a90fd0c11502a49106

▶NVDopensuse/tar_scm< 0.9.3

🔴Vulnerability Details

GHSA

GHSA-2g8g-ghh7-j7r3: Improper input validation in obs-service-tar_scm of Open Build Service allows remote attackers to cause access and extract information outside the cur↗2022-05-13

▶

CVEList

Crafted service parameters allows to induce unexpected behaviour in obs-service-tar_scm↗2018-10-09

▶