Attackers can inject malicious files into osc package sources
CVE-2024-22034

5.5MEDIUM

Key Information:

Vendor: Suse
Status: Suse Linux Enterprise Desktop 15 Sp5; Suse Linux Enterprise High Performance Computing 15 Sp5; Suse Linux Enterprise Module For Development Tools 15 Sp5; Suse Linux Enterprise Server 15 Sp5
Vendor: CVE Published:; 16 October 2024

Summary

A configuration manipulation vulnerability exists in the open source configuration tool, osc, where attackers can place special files within the .osc directory into the actual package sources. By exploiting this flaw, an attacker can modify critical configuration settings, potentially impacting system operations and security for the victim user. This vulnerability highlights the importance of securing configuration tools against unauthorized access and manipulation.

Affected Version(s)

openSUSE Leap 15.5 ? < 1.9.0-150400.10.6.1

openSUSE Leap 15.6 ? < 1.9.0-150400.10.6.1

openSUSE Tumbleweed ? < 1.9.0-1.1

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2024
Vulnerability Reserved
Jan 4, 2024

Credit

Daniel Mach of SUSE