VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 7, 2018· Updated Sep 16, 2024

Open Build Service arbitrary package modification

CVE-2018-7689

Description

Lack of permission checks in the InitializeDevelPackage function in openSUSE Open Build Service before 2.9.3 allowed authenticated users to modify packages where they do not have write permissions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated users could modify packages without write permissions in openSUSE Open Build Service before 2.9.3 due to missing permission checks in InitializeDevelPackage.

Vulnerability

The InitializeDevelPackage function in openSUSE Open Build Service (OBS) before version 2.9.3 lacked proper permission checks. This allowed authenticated users to modify packages for which they did not have write permissions. The issue is present in the OBS API and webui components. [1][2]

Exploitation

An attacker needs to be an authenticated user of the OBS instance. By exploiting the missing permission check in InitializeDevelPackage, the attacker could submit requests to modify packages without having the required maintainer role on the source package. The commit shows that the fix adds permission checks for the source package when the InitializeDevelPackage attribute is set on the project. [2]

Impact

Successful exploitation allows an authenticated attacker to modify packages they should not have write access to, potentially leading to unauthorized changes to package content, metadata, or dependencies. This could compromise the integrity of the build service and affect downstream users.

Mitigation

The vulnerability is fixed in openSUSE Open Build Service version 2.9.3. The fix was implemented in commit 990ef7cccef6f38fc1d1a1bb22a08e174dcba43b. Users should upgrade to version 2.9.3 or later. No workarounds are mentioned in the references. [1][2]

References
  1. 1094819 – (CVE-2018-7689) VUL-0: CVE-2018-7689: obs: InitializeDevelPackage attribute exploit (obs-api)
  2. [api][webui] Check access to source package · openSUSE/open-build-service@990ef7c

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.