CVE-2019-3681External Control of File Name or Path in Factory

CWE-73External Control of File Name or Path7 documents6 sources
Severity
9.8CRITICALNVD
CNA7.5
EPSS
0.9%
top 24.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
Opensuse FactoryOpensuse Leap 15.1Suse Linux Enterprise Module FOR Development Tools 15+3 more
Timeline
PublishedJun 29
Latest updateMay 24

Description

A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5opensuse/opensuse_factoryosc0.169.0
CVEListV5opensuse/opensuse_leap_15.1osc0.169.1-lp151.2.15.1

🔴Vulnerability Details

3
GHSA
GHSA-9w8p-3cm4-h4c7: A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software2022-05-24
OSV
CVE-2019-3681: A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software2020-06-29
CVEList
osc: stores downloaded (supposed) RPM in network-controlled filesystem paths2020-06-29

📋Vendor Advisories

1
Debian
CVE-2019-3681: osc - A External Control of File Name or Path vulnerability in osc of SUSE Linux Enter...2019

💬Community

2
Bugzilla
CVE-2019-3681 osc: Stores downloaded RPM in network-controlled filesystem paths [fedora-all]2020-09-16
Bugzilla
CVE-2019-3681 osc: Stores downloaded RPM in network-controlled filesystem paths2020-09-16
CVE-2019-3681 — External Control of File Name or Path | cvebase