OBS Service Vulnerable to Command Injection Attack
CVE-2024-22033

6.3MEDIUM

Key Information:

Vendor: Suse
Status: Suse Package Hub 15 Sp5; Suse Package Hub 15 Sp6; Opensuse Leap 15.5; Opensuse Leap 15.6
Vendor: CVE Published:; 16 October 2024

Summary

The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps

Affected Version(s)

openSUSE Leap 15.5 ? < 0.2.1-bp155.3.3.1

openSUSE Leap 15.6 ? < 0.2.1-bp156.2.3.1

openSUSE Tumbleweed ? < 0.2.1-1.1

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Jan 4, 2024

Credit

Maxime Rinaudo