Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for build by SUSE

    CVE-2017-14804 (GCVE-0-2017-14804)

    Vulnerability from nvd – Published: 2018-03-01 19:00 – Updated: 2024-09-16 22:03
    VLAI
    Title
    package builds could use directory traversal to write outside of target area
    Summary
    The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
    CWE
    • Insufficient pathname checking could use to bypass directory restrictions.
    • CWE-22
    Assigner
    References
    URL Tags
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    Impacted products
    Vendor Product Version
    SUSE build Affected: unspecified , ≤ 20171128 (custom)
    Create a notification for this product.
    Date Public
    2017-12-08 00:00
    Credits
    Marcus Hüwe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:34:39.942Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "SUSE-SU-2017:3253",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
              },
              {
                "name": "SUSE-SU-2018:0065",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
              },
              {
                "name": "openSUSE-SU-2017:3259",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "build",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "20171128",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marcus H\u00fcwe"
            }
          ],
          "datePublic": "2017-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "Can be found in https://bugzilla.suse.com/show_bug.cgi?id=1069904"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insufficient pathname checking could use to bypass directory restrictions.",
                  "lang": "en",
                  "type": "text"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-06T16:15:51.000Z",
            "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
            "shortName": "microfocus"
          },
          "references": [
            {
              "name": "SUSE-SU-2017:3253",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
            },
            {
              "name": "SUSE-SU-2018:0065",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
            },
            {
              "name": "openSUSE-SU-2017:3259",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
            }
          ],
          "source": {
            "advisory": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html",
            "defect": [
              "https://bugzilla.suse.com/show_bug.cgi?id=1069904"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "package builds could use directory traversal to write outside of target area",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@microfocus.com",
              "DATE_PUBLIC": "2017-12-08T00:00:00.000Z",
              "ID": "CVE-2017-14804",
              "STATE": "PUBLIC",
              "TITLE": "package builds could use directory traversal to write outside of target area"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "build",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_value": "20171128"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Marcus H\u00fcwe"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots."
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "Can be found in https://bugzilla.suse.com/show_bug.cgi?id=1069904"
              }
            ],
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insufficient pathname checking could use to bypass directory restrictions."
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "SUSE-SU-2017:3253",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
                },
                {
                  "name": "SUSE-SU-2018:0065",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
                },
                {
                  "name": "openSUSE-SU-2017:3259",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
                }
              ]
            },
            "source": {
              "advisory": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html",
              "defect": [
                "https://bugzilla.suse.com/show_bug.cgi?id=1069904"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "assignerShortName": "microfocus",
        "cveId": "CVE-2017-14804",
        "datePublished": "2018-03-01T19:00:00.000Z",
        "dateReserved": "2017-09-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:03:14.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-14804 (GCVE-0-2017-14804)

    Vulnerability from cvelistv5 – Published: 2018-03-01 19:00 – Updated: 2024-09-16 22:03
    VLAI
    Title
    package builds could use directory traversal to write outside of target area
    Summary
    The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots.
    CWE
    • Insufficient pathname checking could use to bypass directory restrictions.
    • CWE-22
    Assigner
    References
    URL Tags
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    https://lists.opensuse.org/opensuse-security-anno… vendor-advisoryx_refsource_SUSE
    Impacted products
    Vendor Product Version
    SUSE build Affected: unspecified , ≤ 20171128 (custom)
    Create a notification for this product.
    Date Public
    2017-12-08 00:00
    Credits
    Marcus Hüwe
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T19:34:39.942Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "SUSE-SU-2017:3253",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
              },
              {
                "name": "SUSE-SU-2018:0065",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
              },
              {
                "name": "openSUSE-SU-2017:3259",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "build",
              "vendor": "SUSE",
              "versions": [
                {
                  "lessThanOrEqual": "20171128",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Marcus H\u00fcwe"
            }
          ],
          "datePublic": "2017-12-08T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "value": "Can be found in https://bugzilla.suse.com/show_bug.cgi?id=1069904"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Insufficient pathname checking could use to bypass directory restrictions.",
                  "lang": "en",
                  "type": "text"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-06T16:15:51.000Z",
            "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
            "shortName": "microfocus"
          },
          "references": [
            {
              "name": "SUSE-SU-2017:3253",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
            },
            {
              "name": "SUSE-SU-2018:0065",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
            },
            {
              "name": "openSUSE-SU-2017:3259",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
            }
          ],
          "source": {
            "advisory": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html",
            "defect": [
              "https://bugzilla.suse.com/show_bug.cgi?id=1069904"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "package builds could use directory traversal to write outside of target area",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security@microfocus.com",
              "DATE_PUBLIC": "2017-12-08T00:00:00.000Z",
              "ID": "CVE-2017-14804",
              "STATE": "PUBLIC",
              "TITLE": "package builds could use directory traversal to write outside of target area"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "build",
                          "version": {
                            "version_data": [
                              {
                                "affected": "\u003c=",
                                "version_affected": "\u003c=",
                                "version_value": "20171128"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "SUSE"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Marcus H\u00fcwe"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The build package before 20171128 did not check directory names during extraction of build results that allowed untrusted builds to write outside of the target system,allowing escape out of buildroots."
                }
              ]
            },
            "exploit": [
              {
                "lang": "en",
                "value": "Can be found in https://bugzilla.suse.com/show_bug.cgi?id=1069904"
              }
            ],
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Insufficient pathname checking could use to bypass directory restrictions."
                    }
                  ]
                },
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-22"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "SUSE-SU-2017:3253",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html"
                },
                {
                  "name": "SUSE-SU-2018:0065",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2018-01/msg00030.html"
                },
                {
                  "name": "openSUSE-SU-2017:3259",
                  "refsource": "SUSE",
                  "url": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00025.html"
                }
              ]
            },
            "source": {
              "advisory": "https://lists.opensuse.org/opensuse-security-announce/2017-12/msg00024.html",
              "defect": [
                "https://bugzilla.suse.com/show_bug.cgi?id=1069904"
              ],
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "assignerShortName": "microfocus",
        "cveId": "CVE-2017-14804",
        "datePublished": "2018-03-01T19:00:00.000Z",
        "dateReserved": "2017-09-27T00:00:00.000Z",
        "dateUpdated": "2024-09-16T22:03:14.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }