login-proxy sends password to attacker-provided domain
Description
A Reliance on Untrusted Inputs in a Security Decision vulnerability in the login proxy of the openSUSE Build service allowed attackers to present users with a expected login form that then sends the clear text credentials to an attacker specified server. This issue affects: openSUSE Build service login-proxy-scripts versions prior to dc000cdfe9b9b715fb92195b1a57559362f689ef.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The openSUSE Build service login proxy trusted an attacker-supplied `url` parameter, redirecting the login form and sending clear-text credentials to an attacker-controlled server.
Vulnerability
The openSUSE Build service login proxy scripts (login-proxy-scripts) prior to commit dc000cdfe9b9b715fb92195b1a57559362f689ef suffered from a reliance on untrusted inputs in a security decision. The login proxy accepted an attacker-controlled url parameter (e.g., ?url=http://www.zq1.de/) and used it to redirect the login form. When users submitted their credentials, the form sent the clear-text username and password to the server specified in the url parameter instead of the legitimate openSUSE service. Affected instances include build.opensuse.org, hackweek.suse.com, and build.suse.de [1].
Exploitation
An attacker needs only to craft a URL to an affected login proxy endpoint with an attacker-controlled url parameter pointing to an attacker-owned server capable of receiving POST requests. The attacker must then trick a victim into visiting that URL (e.g., via phishing or a hijacked link). When the victim sees what appears to be a legitimate login form and enters credentials, the form submits the credentials in clear text to the attacker's server. No user interaction beyond entering credentials is required [1].
Impact
Successful exploitation results in complete disclosure of the victim's clear-text username and password for the openSUSE Build service. An attacker can then use these credentials to authenticate as the victim, potentially gaining access to the Build service resources (e.g., packages, projects) and possibly other services that share the same credentials [1].
Mitigation
The openSUSE Build service infrastructure was patched by removing the dangerous url parameter from the login proxy. The commit d0b45f98fc74b254ee0585f26647cb6c8d2c871f addressed the issue, and the general removal of the url parameter required further testing to ensure no regressions. Users of the openSUSE Build service should ensure they are using a version including commit dc000cdfe9b9b715fb92195b1a57559362f689ef or later. The appliance is not affected because the proxy code is only used on SUSE/openSUSE infrastructure [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2< dc000cdfe9b9b715fb92195b1a57559362f689ef+ 1 more
- (no CPE)range: < dc000cdfe9b9b715fb92195b1a57559362f689ef
- (no CPE)range: login-proxy-scripts
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- bugzilla.suse.com/show_bug.cgimitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.