CVE-2013-3703
HIGHOpen Build Service 2.4.0-2.4.3 - Authenticated Missing Authorization in API Controller
Title source: llmDescription
The controller of the Open Build Service API prior to version 2.4.4 is missing a write permission check, allowing an authenticated attacker to add or remove user roles from packages and/or project meta data.
References (2)
Core 2
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=828256
Scores
CVSS v3
8.8
EPSS
0.0093
EPSS Percentile
56.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-275
CWE-862
Status
published
Products (1)
opensuse/open_build_service
2.4.0 - 2.4.4
Published
Jun 08, 2018
Tracked Since
Feb 18, 2026