Open Build Service accepts arbitrary reviews

Vulnerability

The vulnerability resides in the review handling of openSUSE Open Build Service (OBS) versions before 2.9.3. When creating a new request, the system did not validate the initial state of reviews; it accepted the state provided in the XML input. This allowed an attacker to set reviews to "accepted" instead of the required "new" state, bypassing the intended review workflow [1].

Exploitation

An authenticated attacker can craft a submit request with XML that includes reviews already in the "accepted" state. For example, a user "mallory" can create a request targeting a project that requires reviews from specific users, and set those reviews to "accepted" in the request XML. If an automated script periodically accepts requests with all reviews accepted, the malicious request can be automatically approved, allowing the attacker to modify source packages in projects where they lack write permissions [1].

Impact

Successful exploitation allows an authenticated attacker to modify source code in projects where they do not have write permissions. This can lead to unauthorized changes to packages, potentially introducing malicious code or disrupting the build process. The attacker gains the ability to submit changes that bypass the intended review process, compromising the integrity of the software supply chain [1].

Mitigation

The fix was implemented in commit b15cf19e9e01115f653c76ffdc8f54cd97566553, which initializes the review state to :new regardless of the state provided in the XML [2]. This ensures that all reviews start in the "new" state and must be explicitly accepted. The vulnerability is fixed in openSUSE Open Build Service version 2.9.3. Users should upgrade to this version or later. No workaround is available for earlier versions [1].