CVE-2014-0594

EPSS 0.14%
Veröffentlicht 08.06.2018 17:29:00
Zuletzt bearbeitet 21.11.2024 02:02:27
Quelle security@opentext.com
Teams Watchlist Login
Unerledigt Login

In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensuse ≫ Open Build Service Version < 2.4.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.308

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security@opentext.com	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://bugzilla.suse.com/show_bug.cgi?id=870606

https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8

https://nvd.nist.gov/vuln/detail/CVE-2014-0594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-0594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-0594

EUVD