delete package via link exploit in open buildservice

Vulnerability

A vulnerability exists in the Open Build Service (OBS) before version 2.9.4. Authorized users with access to projects that have the OBS:InitializeDevelPackage attribute set could send a malicious request to delete packages. The issue is similar to [CVE-2018-7689] and is due to insufficient permission checks in the BsRequestAction.check_action_permission! method. The fix [1] [2] imposes stricter validation by ignoring project links when determining source packages.

Exploitation

An attacker must be an authorized user of the OBS instance and target a project that has the OBS:InitializeDevelPackage attribute. By crafting a malicious request (e.g., a package deletion request) that exploits the permission check gap, the attacker can trigger the deletion. The original code did not follow project links correctly, allowing the attacker to bypass permission checks [2].

Impact

Successful exploitation allows an authorized but low-privileged user to delete packages within the project. This could lead to denial of service, loss of critical packages, and disruption of the build service operations. The impact is limited to users with some level of authorization, but arbitrary package deletion is possible without proper permission.

Mitigation

Upgrade to Open Build Service version 2.9.4 or later, which includes the fix applied in commit f57b660f49f830006766a8d4abc3b4af6e178063 [2]. No workaround is provided; the only mitigation is to update to the patched version.