open-build-service retrigger / wipebinaries hitting the wrong project bypassing access permissions
CVE-2017-9268

4.4MEDIUM

Key Information:

Vendor: Suse
Status: Open Build Service
Vendor: CVE Published:; 1 March 2018

Summary

In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

Affected Version(s)

open build service < 20170722 git

References

https://bugzilla.suse.com/show_bug.cgi?id=1045519

x_refsource_CONFIRM

https://github.com/openSUSE/open-build-service/pull/3267

x_refsource_CONFIRM

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 1, 2018
Vulnerability Reserved
May 29, 2017

Credit

Adrian Schröter of SUSE