CVE-2018-7689 — Missing Authorization in Open Build Service

CWE-862 — Missing Authorization5 documents5 sources

Severity

6.5MEDIUMNVD

CNA7.1

EPSS

0.2%

top 62.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Open Build Service

Timeline

PublishedJun 7

Latest updateMay 13

Description

Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5opensuse/open_build_serviceunspecified — 2.9.3

▶NVDopensuse/open_build_service< 2.9.3

🔴Vulnerability Details

GHSA

GHSA-mcfv-wm6f-9ch2: Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2↗2022-05-13

▶

OSV

CVE-2018-7689: Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2↗2018-06-07

▶

CVEList

Open Build Service arbitrary package modification↗2018-06-07

▶

📋Vendor Advisories

Debian

CVE-2018-7689: open-build-service - Lack of permission checks in the InitializeDevelPackage function in openSUSE Ope...↗2018

▶