CVE-2018-7689

Description

Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected products

openSUSE / Open Build Serviceunspecified – 2.9.3

References

MISChttps://bugzilla.suse.com/show_bug.cgi?id=CVE-2018-7689
PATCHhttps://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
MAILING_LISThttps://lists.opensuse.org/opensuse-buildservice/2018-06/msg00014.html