CVE-2017-9268

open-build-service retrigger / wipebinaries hitting the wrong project bypassing access permissions

CVSS 4.4 MEDIUMEPSS 0.6%CWE-285

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.4EPSS 0.6%KEV nãoPoC —Patch —

Ciclo de vida

01 mar 2018Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Produtos afetados

SUSE · open build service

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://bugzilla.suse.com/show_bug.cgi?id=1045519 https://github.com/openSUSE/open-build-service/pull/3267