723788 – (CVE-2011-3178) VUL-0: CVE-2011-3178: obs webui code injection

Bug 723788 (CVE-2011-3178) - VUL-0: CVE-2011-3178: obs webui code injection

Summary: VUL-0: CVE-2011-3178: obs webui code injection

Status:	RESOLVED FIXED

Alias:	CVE-2011-3178

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Adrian Schröter
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2011-10-13 07:50 UTC by Ludwig Nussel
Modified:	2017-03-10 17:33 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ludwig Nussel 2011-10-13 07:50:41 UTC

the obs server webui did not sanitize the 'scheduler' parameter when calling the mkdiststats script. Remote attackers could exploit that to inject code.

https://github.com/openSUSE/open-build-service/commit/cbfe2ed36dd77c0843702935dea7f914bb599201

Comment 1 Ludwig Nussel 2011-10-19 08:07:34 UTC

CVE-2011-3178

Comment 2 Ludwig Nussel 2011-10-21 07:07:03 UTC

fix is in 2.1.13