CVE-2022-21949
Multiple XXE vulnerabilities in OBS
In short
OBS has a vulnerability that lets attackers insert malicious XML code to read sensitive files from the server. This information can then be used to gain admin access to the OBS system.
Technical detail
XML External Entity (XXE) injection vulnerability in OBS allows remote attackers to reference external entities in XML processing operations, enabling arbitrary file disclosure. Exploitation requires the ability to submit specially crafted XML input to vulnerable endpoints; successful exploitation may lead to information disclosure that facilitates privilege escalation to administrator level.
Summary generated and translated by AI from the official description.
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
SUSE · Open Build ServiceWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →