Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Open Build Service — Vulnerabilities & Security Advisories 19

All 19 CVE vulnerabilities found in Open Build Service, with AI-generated Chinese analysis, references, and POCs.

This page documents security vulnerabilities associated with the Open Build Service, an open-source platform designed for building, distributing, and managing software packages across various Linux distributions. The content focuses on weakness types identified within this continuous integration and build service environment, providing a structured view of its security posture over time. The page aggregates data on multiple vulnerability categories affecting the Open Build Service infrastructure and its components, covering reports published from 2017 through 2023. This time range captures significant security incidents, configuration weaknesses, and implementation flaws that have been disclosed by vendors and the open-source community during the platform's operational history. Visitors can use this resource to track advisory timelines from the primary vendor and understand the broader context of specific weakness classes affecting build systems. It also allows users to look up the complete vulnerability history of the Open Build Service product, helping developers and system administrators assess risk exposure and prioritize remediation efforts based on historical trends and severity levels. By consolidating these records, the page serves as a central reference for security researchers and operational teams evaluating the integrity of their package building workflows.

Vendor: SUSE

CVE IDTitleCVSSSeverityPublished
CVE-2022-21949 Multiple XXE vulnerabilities in OBS CWE-611 8.8 High2022-05-03
CVE-2020-8031 obs: Stored XSS CWE-79 6.3 Medium2021-02-11
CVE-2018-12475 obs-service-download_files allows downloading from localhost or intranet hosts CWE-610 6.5 Medium2020-09-01
CVE-2020-8021 unauthorized read access to files where sourceaccess is disabled via a crafted _service file in Open Build Service CWE-269 5.3 Medium2020-05-19
CVE-2019-3685 Missing TLS certificate validation for HTTPS connections in osc CWE-295 7.4 High2019-11-05
CVE-2018-12474 Crafted service parameters allows to induce unexpected behaviour in obs-service-tar_scm CWE-20 8.8 -2018-10-09
CVE-2018-12477 obs-service-refresh_patches can be tricked into deleting '..' or other unrelated directories CWE-93 6.5 -2018-10-09
CVE-2018-12478 obs-service-replace_using_package_version allows to specify arbitrary input files CWE-20 6.5 -2018-10-09
CVE-2018-12479 Request controller allows to create requests with arbitrary request IDs CWE-20 7.5 -2018-10-09
CVE-2018-12473 path traversal in obs-service-tar_scm CWE-23 7.5 -2018-10-02
CVE-2011-4183 open build service allows anyone to upload rpms CWE-862 9.8 -2018-06-13
CVE-2011-4181 open build service information leak via unauthorized source access CWE-284 7.5 -2018-06-11
CVE-2014-0594 CSRF protection incorrectly disabled CWE-352 8.8 -2018-06-08
CVE-2013-3703 No write permission check in change_role command CWE-862 6.5 -2018-06-08
CVE-2018-7688 Open Build Service accepts arbitrary reviews CWE-862 6.5 -2018-06-07
CVE-2018-7689 Open Build Service arbitrary package modification CWE-862 6.5 -2018-06-07
CVE-2015-0796 open build service source server symlink exploitation via source patch 7.7 -2018-03-02
CVE-2017-5188 OBS worker VM escape via relative symbolic links 6.5 -2018-03-01
CVE-2017-9268 open-build-service retrigger / wipebinaries hitting the wrong project bypassing access permissions 6.5 -2018-03-01

All 19 known CVE vulnerabilities affecting Open Build Service with full Chinese analysis, references, and POCs where available.