Request controller allows to create requests with arbitrary request IDs

Vulnerability

The request controller in openSUSE Open Build Service versions prior to commit 01b015ca2a320afc4fae823465d1e72da8bd60df contains an improper input validation vulnerability [1]. This allows remote attackers to cause a denial of service by specifying crafted request IDs that the controller does not properly validate.

Exploitation

An attacker can send a crafted request to the Open Build Service with an arbitrary request ID. No authentication is required, and the attack can be performed remotely over HTTP. The request ID is used in a way that leads to resource exhaustion or crash, resulting in denial of service.

Impact

Successful exploitation results in a denial of service, making the Open Build Service unavailable to legitimate users. The attack affects the availability of the service without requiring any special privileges.

Mitigation

The vulnerability is fixed in commit 01b015ca2a320afc4fae823465d1e72da8bd60df [1]. Users should update their Open Build Service installations to include this commit or a later version. No workarounds are documented.