Bug 828256 (CVE-2013-3703) - VUL-0: CVE-2013-3703: obs-server: No write permission check in change_role command
Summary: VUL-0: CVE-2013-3703: obs-server: No write permission check in change_role co...
Status: RESOLVED FIXED
Alias: CVE-2013-3703
Product: openSUSE.org
Classification: openSUSE
Component: BuildService (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical (vote)
Target Milestone: ---
Assignee: Adrian Schröter
QA Contact: Adrian Schröter
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-05 07:05 UTC by Adrian Schröter
Modified: 2013-07-08 17:31 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Adrian Schröter 2013-07-05 07:05:27 UTC 
The webui controller of the api provides an interface to add or remove user roles from packages or project meta data. This is done without any write permission checks in current git master and OBS 2.4 branch (including 2.4.3). Versions before are not affected.

Our productive instances have been hotfixed for now.

Security team, please decide if we want to create a CVE or anything elase for this and re-assign the bug back to me. thanks.
Comment 1 Marcus Meissner 2013-07-05 09:43:21 UTC 
I have assigned CVE-2013-3703.

Use it in announcements please.


(DO we need to update anything on our products?)
Comment 2 Adrian Schröter 2013-07-05 10:09:23 UTC 
thanks, no product updates needed. I will just release an OBS 2.4.4 with that fix.
Comment 3 Swamp Workflow Management 2013-07-05 22:00:17 UTC 
bugbot adjusting priority
Comment 4 Adrian Schröter 2013-07-08 17:31:00 UTC 
2.4.4 containing a fix is released.