CVE-2014-0594

EPSS 0.14%
Published 08.06.2018 17:29:00
Last modified 21.11.2024 02:02:27
Source security@opentext.com
Teams watchlist Login
Open Login

In the Open Build Service (OBS) before version 2.4.6 the CSRF protection is incorrectly disabled in the web interface, allowing for requests without the user's consent.

Affected products Warnungen 0 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Opensuse ≫ Open Build Service Version < 2.4.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.308

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security@opentext.com	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://bugzilla.suse.com/show_bug.cgi?id=870606

https://github.com/openSUSE/open-build-service/commit/2188c059b67b82171d0e28ef59f77e62d22a09d8

https://nvd.nist.gov/vuln/detail/CVE-2014-0594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-0594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-0594

EUVD