certfr_avis - certa-2011-avi-264

CERTA-2011-AVI-264

Vulnerability from certfr_avis

Des vulnérabilités dans OpenSUSE Build Service permettent à un utilisateur malveillant de réaliser de l'injection de code indirecte et de modifier les informations.

Description

OpenSUSE Build Service est une plateforme de développement et de distribution de paquets logiciels.

Plusieurs vulnérabilités affectent ce produit :

(CVE-2011-0462) plusieurs vulnérabilités de type XSS affectent l'interface web ;
(CVE-2011-0466) des défauts de l'API permettent à un utilisateur malveillant de modifier des projets ou des paquets logiciels sans disposer de droits en écriture légitimes.

Solution

Les versions 2.0.8 et 2.1.6 corrigent ces problèmes.

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

OpenSUSE Build Service :

versions web 2.1.x ;
API, versions 2.0.x et 2.1.x.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Annonce de versions OpenSUSE du 02 mars 2011

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eOpenSUSE Build Service :  \u003cUL\u003e    \u003cLI\u003eversions web 2.1.x ;\u003c/LI\u003e    \u003cLI\u003eAPI, versions 2.0.x et 2.1.x.\u003c/LI\u003e  \u003c/UL\u003e\u003c/p\u003e",
  "content": "## Description\n\nOpenSUSE Build Service est une plateforme de d\u00e9veloppement et de\ndistribution de paquets logiciels.\n\nPlusieurs vuln\u00e9rabilit\u00e9s affectent ce produit\u00a0:\n\n-   (CVE-2011-0462) plusieurs vuln\u00e9rabilit\u00e9s de type XSS affectent\n    l\u0027interface web\u00a0;\n-   (CVE-2011-0466) des d\u00e9fauts de l\u0027API permettent \u00e0 un utilisateur\n    malveillant de modifier des projets ou des paquets logiciels sans\n    disposer de droits en \u00e9criture l\u00e9gitimes.\n\n## Solution\n\nLes versions 2.0.8 et 2.1.6 corrigent ces probl\u00e8mes.\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-0462",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0462"
    },
    {
      "name": "CVE-2011-0466",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-0466"
    }
  ],
  "initial_release_date": "2011-04-28T00:00:00",
  "last_revision_date": "2011-04-28T00:00:00",
  "links": [],
  "reference": "CERTA-2011-AVI-264",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-04-28T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance"
    }
  ],
  "summary": "Des vuln\u00e9rabilit\u00e9s dans OpenSUSE Build Service permettent \u00e0 un\nutilisateur malveillant de r\u00e9aliser de l\u0027injection de code indirecte et\nde modifier les informations.\n",
  "title": "Vuln\u00e9rabilit\u00e9s dans OpenSUSE Build Service",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Annonce de versions OpenSUSE du 02 mars 2011",
      "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
    }
  ]
}

CVE-2011-0462 (GCVE-0-2011-0462)

Vulnerability from cvelistv5

Published

2011-04-10 01:00

Modified

2024-09-16 17:02

Severity ?

CWE

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the login page in the webui component in SUSE openSUSE Build Service (OBS) before 2.1.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

References

URL

Tags

	http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/	x_refsource_CONFIRM
	https://bugzilla.novell.com/show_bug.cgi?id=669909	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:51:08.986Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.novell.com/show_bug.cgi?id=669909"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in the login page in the webui component in SUSE openSUSE Build Service (OBS) before 2.1.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-04-10T01:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.novell.com/show_bug.cgi?id=669909"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-0462",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in the login page in the webui component in SUSE openSUSE Build Service (OBS) before 2.1.6 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/",
              "refsource": "CONFIRM",
              "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
            },
            {
              "name": "https://bugzilla.novell.com/show_bug.cgi?id=669909",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.novell.com/show_bug.cgi?id=669909"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-0462",
    "datePublished": "2011-04-10T01:00:00.000Z",
    "dateReserved": "2011-01-14T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:02:55.828Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2011-0466 (GCVE-0-2011-0466)

Vulnerability from cvelistv5

Published

2011-04-10 01:00

Modified

2024-09-16 17:28

Severity ?

CWE

Summary

The API in SUSE openSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 allows attackers to bypass intended write-access restrictions and modify a (1) package or (2) project via unspecified vectors.

References

URL

Tags

http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T21:51:08.967Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The API in SUSE openSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 allows attackers to bypass intended write-access restrictions and modify a (1) package or (2) project via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2011-04-10T01:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2011-0466",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The API in SUSE openSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 allows attackers to bypass intended write-access restrictions and modify a (1) package or (2) project via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/",
              "refsource": "CONFIRM",
              "url": "http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fixing-security-problems/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2011-0466",
    "datePublished": "2011-04-10T01:00:00.000Z",
    "dateReserved": "2011-01-14T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:28:11.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CERTA-2011-AVI-264

Vulnerability from certfr_avis

Description

Solution

CVE-2011-0462 (GCVE-0-2011-0462)

Vulnerability from cvelistv5

CVE-2011-0466 (GCVE-0-2011-0466)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature