osc: stores downloaded (supposed) RPM in network-controlled filesystem paths
Description
A External Control of File Name or Path vulnerability in osc of SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Software Development Kit 12-SP5, SUSE Linux Enterprise Software Development Kit 12-SP4; openSUSE Leap 15.1, openSUSE Factory allowed remote attackers that can change downloaded packages to overwrite arbitrary files. This issue affects: SUSE Linux Enterprise Module for Development Tools 15 osc versions prior to 0.169.1-3.20.1. SUSE Linux Enterprise Software Development Kit 12-SP5 osc versions prior to 0.162.1-15.9.1. SUSE Linux Enterprise Software Development Kit 12-SP4 osc versions prior to 0.162.1-15.9.1. openSUSE Leap 15.1 osc versions prior to 0.169.1-lp151.2.15.1. openSUSE Factory osc versions prior to 0.169.0 .
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
12- osv-coords6 versionspkg:rpm/opensuse/osc&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/osc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/osc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP1pkg:rpm/suse/osc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/osc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/osc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
< 0.169.1-lp151.2.15.1+ 5 more
- (no CPE)range: < 0.169.1-lp151.2.15.1
- (no CPE)range: < 0.174.0-1.2
- (no CPE)range: < 0.169.1-3.20.1
- (no CPE)range: < 0.169.1-3.20.1
- (no CPE)range: < 0.162.1-15.9.1
- (no CPE)range: < 0.162.1-15.9.1
- openSUSE/openSUSE Factoryv5Range: osc
- openSUSE/openSUSE Leap 15.1v5Range: osc
- SUSE/SUSE Linux Enterprise Module for Development Tools 15v5Range: osc
osc+ 1 more
- (no CPE)range: osc
- (no CPE)range: osc
Patches
Vulnerability mechanics
References
1- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.