CVE-2018-12477 LOW

CVE-2018-12477: obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories

Vendor Opensuse
Product Open Build Service
Weakness CWE-93 · CRLF injection
Published October 9, 2018
Last update September 16, 2024

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce.

Key dates

02Disclosure timeline

October 9, 2018 CVE published
September 16, 2024 Record updated