CVE-2018-12477— obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2018-12477
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories
Source: NVD (National Vulnerability Database)
Vulnerability Description
A Improper Neutralization of CRLF Sequences vulnerability in Open Build Service allows remote attackers to cause deletion of directories by tricking obs-service-refresh_patches to delete them. Affected releases are openSUSE Open Build Service: versions prior to d6244245dda5367767efc989446fe4b5e4609cce.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Open Build Service 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Open Build Service(OBS)是一套通用的、以自动、一致和可重复的方式从源代码构建和分发软件包的系统。 Open Build Service d6244245dda5367767efc989446fe4b5e4609cce之前版本中存在安全漏洞。远程攻击者可通过借助obs-service-refresh_patches利用该漏洞删除目录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| openSUSE | Open Build Service | unspecified ~ d6244245dda5367767efc989446fe4b5e4609cce | - |
II. Public POCs for CVE-2018-12477
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2018-12477
请登录查看更多情报信息。
- https://bugzilla.suse.com/show_bug.cgi?id=1108189x_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2018-12477
Same Patch Batch · openSUSE · 2018-10-09 · 4 CVEs total
| CVE-2018-12474 | Crafted service parameters allows to induce unexpected behaviour in obs-service-tar_scm | |
| CVE-2018-12478 | obs-service-replace_using_package_version allows to specify arbitrary input files | |
| CVE-2018-12479 | Request controller allows to create requests with arbitrary request IDs |
IV. Related Vulnerabilities
Same product: Open Build Service
Same vendor: openSUSE
Same weakness: CWE-93
- CVE-2026-42257
net-imap: Command Injection via "raw" arguments to multiple - CVE-2026-41570
PHPUnit: Argument injection via newline in PHP INI values fo - CVE-2026-41417
Netty vulnerable to HTTP request smuggling and RTSP request - CVE-2026-39849
Pi-hole FTL remote code execution via newline injection in d - CVE-2026-34458
Sandboxie-Plus privilege escalation via INI CRLF injection b
V. Comments for CVE-2018-12477
No comments yet