unauthorized read access to files where sourceaccess is disabled via a crafted _service file in Open Build Service

Vulnerability

An improper access control vulnerability exists in Open Build Service (OBS) versions prior to 2.10.5 [1]. The bug allows remote attackers to bypass the sourceaccess/access restrictions on OBS packages by crafting a malicious _service file. This file is used by the build service to define source handling operations, and when processed, it triggers the disclosure of files that should be protected [1].

Exploitation

An attacker must be an authenticated user of the OBS instance [1]. They craft a specially designed _service file and submit it to a project or package where the sourceaccess or access flag is set to disabled (i.e., not publicly readable). The attacker does not need any special role beyond being a valid OBS user; the attack is performed remotely over the network [1]. The exact steps involve creating a _service file that triggers an operation to read protected files, leading to their exposure.

Impact

Successful exploitation leads to unauthorized disclosure of files belonging to an OBS package for which source access is restricted [1]. The attacker can read arbitrary files within that package, potentially exposing proprietary source code, build secrets, or configuration data. The compromised files are made available to the attacker, violating the confidentiality of the restricted package [1].

Mitigation

The vulnerability is fixed in Open Build Service version 2.10.5 [1]. Users should update to this version or later. There is no known workaround for earlier versions. The issue was reported via the SUSE Bugzilla and resolved in the referenced update [1].