CVE-2018-12467 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H
microfocus	CNA	6 MEDIUM	LOCAL	HIGH	LOW	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Affected Products (NVD)

Vendor	Product	Version
opensuse	open_build_service	𝑥 < 2.9.4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

open-build-service

bookworm	2.9.4-9 fixed
sid	2.9.4-10 fixed
stretch	no-dsa
trixie	2.9.4-10 fixed

Ubuntu Releases

Ubuntu Product

Codename

open-build-service

bionic	needs-triage
cosmic	ignored
disco	not-affected
eoan	not-affected
focal	dne
groovy	dne
hirsute	dne
impish	dne
jammy	dne
kinetic	ignored
lunar	ignored
mantic	ignored
noble	needs-triage
trusty	dne
xenial	dne

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-732 - Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References

https://bugzilla.suse.com/show_bug.cgi?id=1100217

https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063

https://bugzilla.suse.com/show_bug.cgi?id=1100217

https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063