CVE-2017-9268

low-risk

Published 2018-03-01

In the open build service before 201707022 the wipetrigger and rebuild actions checked the wrong project for permissions, allowing authenticated users to cause operations on projects where they did not have permissions leading to denial of service (resource consumption).

Do I need to act?

0.13% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.4/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Open Build Service

Affected Vendors

Opensuse

References (4)

https://bugzilla.suse.com/show_bug.cgi?id=1045519

https://github.com/openSUSE/open-build-service/pull/3267

https://bugzilla.suse.com/show_bug.cgi?id=1045519

https://github.com/openSUSE/open-build-service/pull/3267

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal