Lucene search

MicrofocusCVELIST:CVE-2018-12475

HistorySep 01, 2020 - 11:55 a.m.

CVE-2018-12475 obs-service-download_files allows downloading from localhost or intranet hosts

2020-09-0111:55:11

CWE-610

microfocus

www.cve.org

cve-2018-12475

obs-service-download_files

unauthorized data download

internal networks

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

A Externally Controlled Reference to a Resource in Another Sphere vulnerability in obs-service-download_files of openSUSE Open Build Service allows authenticated users to generate HTTP request against internal networks and potentially downloading data that is exposed there. This issue affects: openSUSE Open Build Service .

CNA Affected

[
  {
    "product": "Open Build Service",
    "vendor": "openSUSE",
    "versions": [
      {
        "lessThanOrEqual": "0.6.2",
        "status": "affected",
        "version": "obs-service-download_files",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=1107821

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

22.7%

JSON

Related for CVELIST:CVE-2018-12475