CVE-2018-7688

CWE-862 — Missing Authorization6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.2%

top 62.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Open Build Service

Timeline

PublishedJun 7

Latest updateMay 13

Description

A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:LExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶CVEListV5opensuse/open_build_serviceunspecified — 2.9.3

▶NVDopensuse/open_build_service< 2.9.3

▶Debianopen-build-service< 2.9.4-1

🔴Vulnerability Details

GHSA

GHSA-9fp2-98jv-g7j6: A missing permission check in the review handling of openSUSE Open Build Service before 2↗2022-05-13

▶

CVEList

Open Build Service accepts arbitrary reviews↗2018-06-07

▶

OSV

CVE-2018-7688: A missing permission check in the review handling of openSUSE Open Build Service before 2↗2018-06-07

▶

💥Exploits & PoCs

Exploit-DB

LayerBB 1.1.2 - Cross-Site Scripting↗2019-02-12

▶

📋Vendor Advisories

Debian

CVE-2018-7688: open-build-service - A missing permission check in the review handling of openSUSE Open Build Service...↗2018

▶