openSUSE/open-build-service

GitHub

github.com

openbuildservice.org

Releases155

Frequency1 month 1 week

Last Release about 2 months ago

Stars1.06K

Build and distribute Linux packages from sources in an automatic, consistent and reproducible way #obs

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2018-12466 ↗	Aug 1, 2018Wednesday, 1 August 2018, 15:29	—	5.5 MEDIUM
openSUSE openbuildservice before 9.2.4 allowed authenticated users to delete packages on specific projects with project links.
CVE-2018-12467 ↗	Aug 1, 2018Wednesday, 1 August 2018, 15:29	—	5.5 MEDIUM
Authorized users of the openbuildservice before 2.9.4 could delete packages by using a malicious request against projects having the OBS:InitializeDevelPackage attribute, a similar issue to CVE-2018-7689.
CVE-2011-4183 ↗	Jun 13, 2018Wednesday, 13 June 2018, 13:29	—	7.5 HIGH
A vulnerability in open build service allows remote attackers to upload arbitrary RPM files. Affected releases are SUSE open build service prior to 2.1.16.
CVE-2011-4181 ↗	Jun 11, 2018Monday, 11 June 2018, 15:29	7.5 HIGH	5 MEDIUM
A vulnerability in open build service allows remote attackers to gain access to source files even though source access is disabled. Affected releases are SUSE open build service up to and including version 2.1.15 (for 2.1) and before version 2.3.
CVE-2013-3703 ↗	Jun 8, 2018Friday, 8 June 2018, 17:29	—	4 MEDIUM
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
CVE-2014-0594 ↗	Jun 8, 2018Friday, 8 June 2018, 17:29	—	6.8 MEDIUM
In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.
CVE-2018-7688 ↗	Jun 7, 2018Thursday, 7 June 2018, 13:29	—	4 MEDIUM
A missing permission check in the review handling of openSUSE Open Build Service before 2.9.3 allowed all authenticated users to modify sources in projects where they do not have write permissions.
CVE-2018-7689 ↗	Jun 7, 2018Thursday, 7 June 2018, 13:29	—	4 MEDIUM
Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.
CVE-2011-3178 ↗	Mar 20, 2018Tuesday, 20 March 2018, 18:29	—	6.5 MEDIUM
In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.
CVE-2015-0796 ↗	Mar 2, 2018Friday, 2 March 2018, 20:29	—	4.6 MEDIUM
In open buildservice 2.6 before 2.6.3, 2.5 before 2.5.7 and 2.4 before 2.4.8 the source service patch application could generate non-standard files like symlinks or device nodes, which could allow buildservice users to break of confinement or cause denial of service attacks on the source service.
CVE-2017-5188 ↗	Mar 1, 2018Thursday, 1 March 2018, 20:29	—	5 MEDIUM
The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.
CVE-2017-9268 ↗	Mar 1, 2018Thursday, 1 March 2018, 20:29	—	4 MEDIUM
In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).
CVE-2011-0469 ↗	Aug 17, 2017Thursday, 17 August 2017, 16:29	—	9 HIGH
Code injection in openSUSE when running some source services used in the open build service 2.1 before March 11 2011.