Lucene search

MicrofocusCVELIST:CVE-2018-7688

HistoryJun 07, 2018 - 1:00 p.m.

CVE-2018-7688 Open Build Service accepts arbitrary reviews

2018-06-0713:00:00

CWE-862

microfocus

www.cve.org

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

30.9%

JSON

A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.

CNA Affected

[
  {
    "product": "Open Build Service",
    "vendor": "openSUSE",
    "versions": [
      {
        "lessThan": "2.9.3",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

bugzilla.suse.com/show_bug.cgi?id=CVE-2018-7688

github.com/openSUSE/open-build-service/commit/b15cf19e9e01115f653c76ffdc8f54cd97566553

lists.opensuse.org/opensuse-buildservice/2018-06/msg00014.html

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

AI Score

6.7

Confidence

High

EPSS

0.001

Percentile

30.9%

JSON

Related for CVELIST:CVE-2018-7688