Description
The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
References (3)
Core 3
Core References
Mailing List vendor-advisory
x_refsource_suse
https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html
Mailing List vendor-advisory
x_refsource_suse
https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html
Mailing List vendor-advisory
x_refsource_suse
https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html
Scores
CVSS v3
9.9
EPSS
0.0043
EPSS Percentile
62.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-22
CWE-20
Status
published
Products (4)
opensuse/leap
42.2
opensuse/leap
42.3
suse/linux_enterprise_software_development_kit
11 sp4
suse/linux_enterprise_software_development_kit
12 sp2 (2 CPE variants)
Published
Mar 01, 2018
Tracked Since
Feb 18, 2026