Vulnerabilities > CVE-2022-21949 - XXE vulnerability in Opensuse Open Build Service

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

opensuse

CWE-611

critical

NVD

Published: 2022-05-03

Updated: 2022-05-10

Summary

A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.

Vulnerable Configurations

Part	Description	Count
Application	Opensuse Opensuse Open Build Service - Opensuse Open Build Service 0.2.3 Opensuse Open Build Service 0.4.0 Opensuse Open Build Service 0.4.2 Opensuse Open Build Service 0.5.0 Opensuse Open Build Service 0.5.1 Opensuse Open Build Service 0.5.2 Opensuse Open Build Service 0.5.3 Opensuse Open Build Service 0.6.0 Opensuse Open Build Service 0.7.0 Opensuse Open Build Service 0.8.0 Opensuse Open Build Service 0.9.0 Opensuse Open Build Service 0.9.1 Opensuse Open Build Service 0.9.2 Opensuse Open Build Service 0.9.3 Opensuse Open Build Service 0.9.4 Opensuse Open Build Service 0.9.5 Opensuse Open Build Service 0.165.4 Opensuse Open Build Service 1.7.0 Opensuse Open Build Service 1.7.2 Opensuse Open Build Service 1.7.3 Opensuse Open Build Service 1.7.4 Opensuse Open Build Service 1.7.5 Opensuse Open Build Service 1.7.6 Opensuse Open Build Service 1.7.7 Opensuse Open Build Service 1.9.90 Opensuse Open Build Service 1.9.91 Opensuse Open Build Service 1.9.92 Opensuse Open Build Service 2.0.0 Opensuse Open Build Service 2.0.1 Opensuse Open Build Service 2.0.2 Opensuse Open Build Service 2.0.3 Opensuse Open Build Service 2.0.4 Opensuse Open Build Service 2.0.5 Opensuse Open Build Service 2.0.6 Opensuse Open Build Service 2.0.7 Opensuse Open Build Service 2.0.8 Opensuse Open Build Service 2.0.16 Opensuse Open Build Service 2.0.103 Opensuse Open Build Service 2.0.104 Opensuse Open Build Service 2.0.106 Opensuse Open Build Service 2.1.0 Opensuse Open Build Service 2.1.1 Opensuse Open Build Service 2.1.2 Opensuse Open Build Service 2.1.3 Opensuse Open Build Service 2.1.4 Opensuse Open Build Service 2.1.5 Opensuse Open Build Service 2.1.5.1 Opensuse Open Build Service 2.1.6 Opensuse Open Build Service 2.1.7 Opensuse Open Build Service 2.1.8 Opensuse Open Build Service 2.1.8.1 Opensuse Open Build Service 2.1.9 Opensuse Open Build Service 2.1.10 Opensuse Open Build Service 2.1.11 Opensuse Open Build Service 2.1.12 Opensuse Open Build Service 2.1.13 Opensuse Open Build Service 2.1.14 Opensuse Open Build Service 2.1.15 Opensuse Open Build Service 2.1.16 Opensuse Open Build Service 2.1.17 Opensuse Open Build Service 2.3.0 Opensuse Open Build Service 2.3.1 Opensuse Open Build Service 2.3.1-7 Opensuse Open Build Service 2.3.2 Opensuse Open Build Service 2.3.3 Opensuse Open Build Service 2.3.4 Opensuse Open Build Service 2.3.4.1 Opensuse Open Build Service 2.3.5 Opensuse Open Build Service 2.3.6 Opensuse Open Build Service 2.3.7 Opensuse Open Build Service 2.3.8 Opensuse Open Build Service 2.3.60 Opensuse Open Build Service 2.3.90 Opensuse Open Build Service 2.3.91 Opensuse Open Build Service 2.3.95 Opensuse Open Build Service 2.3.96 Opensuse Open Build Service 2.3.97 Opensuse Open Build Service 2.4.0 Opensuse Open Build Service 2.4.1 Opensuse Open Build Service 2.4.2 Opensuse Open Build Service 2.4.3 Opensuse Open Build Service 2.4.4 Opensuse Open Build Service 2.4.5 Opensuse Open Build Service 2.4.6 Opensuse Open Build Service 2.4.7 Opensuse Open Build Service 2.4.8 Opensuse Open Build Service 2.4.50 Opensuse Open Build Service 2.4.51 Opensuse Open Build Service 2.4.90 Opensuse Open Build Service 2.4.91 Opensuse Open Build Service 2.4.92 Opensuse Open Build Service 2.4.95 Opensuse Open Build Service 2.5.0 Opensuse Open Build Service 2.5.1 Opensuse Open Build Service 2.5.2 Opensuse Open Build Service 2.5.3 Opensuse Open Build Service 2.5.4 Opensuse Open Build Service 2.5.4-1 Opensuse Open Build Service 2.5.4-2 Opensuse Open Build Service 2.5.5 Opensuse Open Build Service 2.5.5.1 Opensuse Open Build Service 2.5.6 Opensuse Open Build Service 2.5.7 Opensuse Open Build Service 2.5.50 Opensuse Open Build Service 2.6.0 Opensuse Open Build Service 2.6.1 Opensuse Open Build Service 2.6.2 Opensuse Open Build Service 2.6.3 Opensuse Open Build Service 2.6.4 Opensuse Open Build Service 2.6.5 Opensuse Open Build Service 2.6.6 Opensuse Open Build Service 2.6.7 Opensuse Open Build Service 2.6.8 Opensuse Open Build Service 2.6.9 Opensuse Open Build Service 2.6.10 Opensuse Open Build Service 2.7.0 Opensuse Open Build Service 2.7.1 Opensuse Open Build Service 2.7.2 Opensuse Open Build Service 2.7.3 Opensuse Open Build Service 2.7.4 Opensuse Open Build Service 2.8.0 Opensuse Open Build Service 2.8.1 Opensuse Open Build Service 2.8.2 Opensuse Open Build Service 2.8.3 Opensuse Open Build Service 2.8.4 Opensuse Open Build Service 2.9.0 Opensuse Open Build Service 2.9.1 Opensuse Open Build Service 2.9.2 Opensuse Open Build Service 2.9.3 Opensuse Open Build Service 2.9.4 Opensuse Open Build Service 2.9.5 Opensuse Open Build Service 2.9.6 Opensuse Open Build Service 2.10.0 Opensuse Open Build Service 2.10.1 Opensuse Open Build Service 2.10.5 Opensuse Open Build Service 2.10.8	137

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://bugzilla.suse.com/show_bug.cgi?id=1197928