CVE-2024-22033

Summary

The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps

Affected Software

VendorProductVersion RangeStatus
SUSESUSE Package Hub 15 SP5? < 0.2.1-bp155.3.3.1affected
SUSESUSE Package Hub 15 SP6? < 0.2.1-bp156.2.3.1affected
SUSEopenSUSE Leap 15.5? < 0.2.1-bp155.3.3.1affected
SUSEopenSUSE Leap 15.6? < 0.2.1-bp156.2.3.1affected
SUSEopenSUSE Tumbleweed? < 0.2.1-1.1affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References