openbuildservice webui code injection
Description
In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Open Build Service web UI before 2.3.0 allowed authenticated users to inject shell commands via the 'scheduler' parameter in the rebuild time statistics, leading to remote code execution.
Vulnerability
The Open Build Service (OBS) web interface before version 2.3.0 contains a command injection vulnerability in the rebuild_time action. The scheduler parameter from user input is passed directly to a system() call constructing a shell command to run mkdiststats. No validation or sanitization is applied to this parameter, allowing arbitrary shell metacharacters to be injected. This affects all OBS instances running versions before 2.3.0 [1], [2].
Exploitation
An authenticated attacker with access to the web UI can craft a malicious value for the scheduler parameter (e.g., via a crafted URL or form submission). The injected parameter is concatenated into a command string: system("cd #{RAILS_ROOT}/vendor/diststats && perl ./mkdiststats ... --scheduler=#{@scheduler}"). By including shell metacharacters such as backticks, ;, or command substitution, the attacker can execute arbitrary operating system commands on the server. No special privileges beyond a valid user account are required [1], [2].
Impact
Successful exploitation results in remote code execution (RCE) with the privileges of the web application process. The attacker can execute arbitrary shell commands, potentially gaining full control of the underlying server, reading or modifying files, or pivoting to internal systems. Confidentiality, integrity, and availability of the affected OBS instance and host are compromised [1].
Mitigation
The vulnerability is fixed in Open Build Service version 2.3.0 and later. The fix in commit cbfe2ed adds a whitelist validation for the scheduler parameter (allowing only "fifo", "lifo", "random", "btime", "needed", "neededb", "longest_data", "longested_triedread", "longest") and changes the system call to use the array form, which prevents shell injection [2]. Users should upgrade to OBS 2.3.0 or apply the relevant patch. No known workarounds are documented; however, restricting access to the web UI to trusted users can reduce the risk.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.3.0
- opensuse/openbuildservicev5Range: unspecified
Patches
1cbfe2ed36dd7[webui] check the value of the scheduler parameter
1 file changed · +15 −3
src/webui/app/controllers/project_controller.rb+15 −3 modified@@ -457,6 +457,11 @@ def rebuild_time @arch = params[:arch] @hosts = begin Integer(params[:hosts] || '40') rescue 40 end @scheduler = params[:scheduler] || 'needed' + unless ["fifo", "lifo", "random", "btime", "needed", "neededb", "longest_data", "longested_triedread", "longest"].include? @scheduler + flash[:error] = "Invalid scheduler type, check mkdiststats docu - aehm, source" + redirect_to :action => :show, :project => @project + return + end bdep = find_cached(BuilddepInfo, :project => @project.name, :repository => @repository, :arch => @arch) jobs = find_cached(Jobhislist , :project => @project.name, :repository => @repository, :arch => @arch, :limit => @packages.each.size * 3, :code => ['succeeded', 'unchanged']) @@ -473,9 +478,16 @@ def rebuild_time f.write(jobs.dump_xml) f.close outdir = Dir.mktmpdir - cmd="perl ./mkdiststats '--srcdir=#{indir}' '--destdir=#{outdir}' --outfmt=xml #{@project.name}/#{@repository}/#{@arch} --width=910 --buildhosts=#{@hosts} --scheduler=#{@scheduler}" - logger.debug "cd #{RAILS_ROOT}/vendor/diststats && #{cmd}" - system("cd #{RAILS_ROOT}/vendor/diststats && #{cmd}") + logger.debug "cd #{RAILS_ROOT}/vendor/diststats && perl ./mkdiststats --srcdir=#{indir} --destdir=#{outdir} + --outfmt=xml #{@project.name}/#{@repository}/#{@arch} --width=910 + --buildhosts=#{@hosts} --scheduler=#{@scheduler}" + fork do + Dir.chdir("#{RAILS_ROOT}/vendor/diststats") + system("perl", "./mkdiststats", "--srcdir=#{indir}", "--destdir=#{outdir}", + "--outfmt=xml", "#{@project.name}/#{@repository}/#{@arch}", "--width=910", + "--buildhosts=#{@hosts}", "--scheduler=#{@scheduler}") + end + Process.wait f=File.open(outdir + "/rebuild.png") png=f.read f.close
Vulnerability mechanics
Root cause
"Missing input validation on the scheduler parameter allows shell command injection via string interpolation into a system() call."
Attack vector
An authorized attacker can supply a malicious `scheduler` parameter to the rebuild time statistics page. The original code concatenated this parameter directly into a shell command string passed to `system()` [patch_id=2243758]. By injecting shell metacharacters (e.g., backticks, semicolons, or pipe characters) into the `scheduler` value, the attacker can execute arbitrary shell commands on the server. The attacker must be authenticated (authorized) to access the web UI endpoint.
Affected code
The vulnerability is in the `rebuild_time` action of `src/webui/app/controllers/project_controller.rb` [patch_id=2243758]. The `@scheduler` parameter is taken directly from user-supplied `params[:scheduler]` and interpolated into a shell command string without validation.
What the fix does
The patch adds two changes [patch_id=2243758]. First, it validates `@scheduler` against a whitelist of allowed values (`"fifo"`, `"lifo"`, `"random"`, `"btime"`, `"needed"`, `"neededb"`, `"longest_data"`, `"longested_triedread"`, `"longest"`), rejecting any unexpected input with an error message. Second, it replaces the single-string `system()` call with a multi-argument `system()` call inside a `fork`, which prevents shell interpretation of the arguments even if a whitelisted value somehow contained special characters. Together these changes eliminate the shell injection vector.
Preconditions
- authAttacker must be an authorized user of the Open Build Service web UI
- networkAttacker must have access to the rebuild time statistics page endpoint
- inputAttacker supplies a crafted scheduler parameter containing shell metacharacters
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
- github.com/openSUSE/open-build-service/commit/cbfe2ed36dd77c0843702935dea7f914bb599201mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.