{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"obs-server security update", "category":"general", "title":"Synopsis" }, { "text":"An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.", "category":"general", "title":"Summary" }, { "text":"The Open Build Service (OBS) backend is used to store all sources and binaries.It also calculates the need for new build jobs and distributes it.\n\nSecurity Fix(es):\n\nA Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.(CVE-2022-21949)", "category":"general", "title":"Description" }, { "text":"An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"obs-server", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2022-1674", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1674" }, { "summary":"CVE-2022-21949", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2022-21949&packageName=obs-server" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21949" }, { "summary":"openEuler-SA-2022-1674 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2022/csaf-openeuler-sa-2022-1674.json" } ], "title":"An update for obs-server is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP3", "tracking":{ "initial_release_date":"2022-05-25T09:40:36+08:00", "revision_history":[ { "date":"2022-05-25T09:40:36+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:40:36+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:40:36+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:40:36+08:00", "id":"openEuler-SA-2022-1674", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"openEuler-20.03-LTS-SP3", "name":"openEuler-20.03-LTS-SP3" }, "name":"openEuler-20.03-LTS-SP3", "category":"product_version" } ], "category":"product_name" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"obs-server-2.10.11-3.oe1.src.rpm(20.03-LTS-SP1)", "name":"obs-server-2.10.11-3.oe1.src.rpm" }, "name":"obs-server-2.10.11-3.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"obs-server-2.10.11-3.oe1.src.rpm(20.03-LTS-SP3)", "name":"obs-server-2.10.11-3.oe1.src.rpm" }, "name":"obs-server-2.10.11-3.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"obs-api-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"obs-api-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-api-2.10.11-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"obs-common-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"obs-common-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-common-2.10.11-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"obs-server-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"obs-server-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-server-2.10.11-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"obs-api-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"obs-api-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-api-2.10.11-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"obs-common-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"obs-common-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-common-2.10.11-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP3" }, "product_id":"obs-server-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "name":"obs-server-2.10.11-3.oe1.noarch.rpm" }, "name":"obs-server-2.10.11-3.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"obs-server-2.10.11-3.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.src", "name":"obs-server-2.10.11-3.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"obs-server-2.10.11-3.oe1.src.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.src", "name":"obs-server-2.10.11-3.oe1.src as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"obs-api-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:obs-api-2.10.11-3.oe1.noarch", "name":"obs-api-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"obs-common-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:obs-common-2.10.11-3.oe1.noarch", "name":"obs-common-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"obs-server-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.noarch", "name":"obs-server-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"obs-api-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:obs-api-2.10.11-3.oe1.noarch", "name":"obs-api-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"obs-common-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:obs-common-2.10.11-3.oe1.noarch", "name":"obs-common-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP3", "product_reference":"obs-server-2.10.11-3.oe1.noarch.rpm(20.03-LTS-SP3)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.noarch", "name":"obs-server-2.10.11-3.oe1.noarch as a component of openEuler-20.03-LTS-SP3" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2022-21949", "notes":[ { "text":"A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP1:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.noarch" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP1:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.noarch" ], "details":"obs-server security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1674" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.src", "openEuler-20.03-LTS-SP1:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP1:obs-server-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-api-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-common-2.10.11-3.oe1.noarch", "openEuler-20.03-LTS-SP3:obs-server-2.10.11-3.oe1.noarch" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2022-21949" } ] }