| Vulnerability Name: | CVE-2022-21949 (CCN-225628) | ||||||||||||
| Assigned: | 2021-12-16 | ||||||||||||
| Published: | 2022-04-01 | ||||||||||||
| Updated: | 2022-05-10 | ||||||||||||
| Summary: | A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13. | ||||||||||||
| CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
| ||||||||||||
| Vulnerability Type: | CWE-611 | ||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2022-21949 Source: CCN Type: Bugzilla - Bug 1197928 (CVE-2022-21949) VUL-0: CVE-2022-21949: obs-server: Multiple XXE vulnerabilities in OBS Source: CONFIRM Type: Issue Tracking, Vendor Advisory https://bugzilla.suse.com/show_bug.cgi?id=1197928 Source: XF Type: UNKNOWN openbuild-cve202221949-xxe(225628) Source: CCN Type: Open Build Service GIT Repository Release 2.10.13 #12455 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||