cbcvebase.
CVE-2019-3681
published 2020-06-29

CVE-2019-3681: A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software…

critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .

Affected

14 ranges
VendorProductVersion rangeFixed in
debianosc< osc 0.169.1-1 (bookworm)osc 0.169.1-1 (bookworm)
opensuseopensuse_factory>= osc < 0.169.00.169.0
opensuseopensuse_leap_15.1>= osc < 0.169.1-lp151.2.15.10.169.1-lp151.2.15.1
opensuseosc< 0.169.1-3.20.10.169.1-3.20.1
opensuseosc< 0.162.1-15.9.10.162.1-15.9.1
opensuseosc< 0.169.1-lp151.2.15.10.169.1-lp151.2.15.1
opensuseosc< 0.169.00.169.0
opensuseosc>= 0 < 0.169.1-10.169.1-1
opensuseosc>= 0 < 0.169.1-10.169.1-1
opensuseosc>= 0 < 0.169.1-10.169.1-1
opensuseosc>= 0 < 0.169.1-10.169.1-1
susesuse_linux_enterprise_module_for_development_tools_15>= osc < 0.169.1-3.20.10.169.1-3.20.1
susesuse_linux_enterprise_software_development_kit_12-sp4>= osc < 0.162.1-15.9.10.162.1-15.9.1
susesuse_linux_enterprise_software_development_kit_12-sp5>= osc < 0.162.1-15.9.10.162.1-15.9.1

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL