OBS Service Vulnerable to Command Injection Attack

CVE-2024-22033

6.3MEDIUM

Key Information

Vendor: Suse
Status: Suse Package Hub 15 Sp5; Suse Package Hub 15 Sp6; Opensuse Leap 15.5; Opensuse Leap 15.6
Vendor: CVE Published:; 16 October 2024

Summary

The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps

Affected Version(s)

SUSE Package Hub 15 SP5 < 0.2.1-bp155.3.3.1

SUSE Package Hub 15 SP6 < 0.2.1-bp156.2.3.1

openSUSE Leap 15.5 < 0.2.1-bp155.3.3.1

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Oct 16, 2024
Vulnerability Reserved.
Jan 4, 2024

Collectors

NVD DatabaseMitre Database

Credit

Maxime Rinaudo