CVE-2018-7689

NameCVE-2018-7689
DescriptionLack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs903797

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
open-build-service (PTS)stretch2.7.1-10vulnerable
sid2.7.4-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
open-build-servicesource(unstable)(unfixed)low903797

Notes

[stretch] - open-build-service <no-dsa> (Minor issue)
https://bugzilla.suse.com/show_bug.cgi?id=1094819
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b

Search for package or bug name: Reporting problems