CVE-2024-22033 - Vulnerability Details - OpenCVE

The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact Low

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033

History

Wed, 16 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Oct 2024 14:00:00 +0000

Type	Values Removed	Values Added
Description		The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps
Title		obs-service-download_url is vulnerable to argument injection
Weaknesses		CWE-78
References		https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L'}`

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2024-10-16T13:42:46.559Z

Updated: 2024-10-16T14:07:57.318Z

Reserved: 2024-01-04T12:38:34.024Z

Link: CVE-2024-22033

Vulnrichment

Updated: 2024-10-16T14:07:52.119Z

NVD

Status : Awaiting Analysis

Published: 2024-10-16T14:15:05.280

Modified: 2024-10-16T16:38:14.557

Link: CVE-2024-22033

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22033", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2024-01-04T12:38:34.024Z", "datePublished": "2024-10-16T13:42:46.559Z", "dateUpdated": "2024-10-16T14:07:57.318Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "obs-service-download_url", "product": "SUSE Package Hub 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "0.2.1-bp155.3.3.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "obs-service-download_url", "product": "SUSE Package Hub 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "0.2.1-bp156.2.3.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "obs-service-download_url", "product": "openSUSE Leap 15.5", "vendor": "SUSE", "versions": [{"lessThan": "0.2.1-bp155.3.3.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "obs-service-download_url", "product": "openSUSE Leap 15.6", "vendor": "SUSE", "versions": [{"lessThan": "0.2.1-bp156.2.3.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "obs-service-download_url", "product": "openSUSE Tumbleweed", "vendor": "SUSE", "versions": [{"lessThan": "0.2.1-1.1", "status": "affected", "version": "?", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Maxime Rinaudo"}], "datePublic": "2024-07-11T14:21:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps<br>"}], "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2024-10-16T13:42:46.559Z"}, "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033"}], "source": {"discovery": "EXTERNAL"}, "title": "obs-service-download_url is vulnerable to argument injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-16T14:07:38.141746Z", "id": "CVE-2024-22033", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:07:57.318Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-16T14:07:38.141746Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:07:52.119Z"}}], "cna": {"title": "obs-service-download_url is vulnerable to argument injection", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Maxime Rinaudo"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SUSE", "product": "SUSE Package Hub 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "0.2.1-bp155.3.3.1", "versionType": "custom"}], "packageName": "obs-service-download_url", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Package Hub 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "0.2.1-bp156.2.3.1", "versionType": "custom"}], "packageName": "obs-service-download_url", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Leap 15.5", "versions": [{"status": "affected", "version": "?", "lessThan": "0.2.1-bp155.3.3.1", "versionType": "custom"}], "packageName": "obs-service-download_url", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Leap 15.6", "versions": [{"status": "affected", "version": "?", "lessThan": "0.2.1-bp156.2.3.1", "versionType": "custom"}], "packageName": "obs-service-download_url", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Tumbleweed", "versions": [{"status": "affected", "version": "?", "lessThan": "0.2.1-1.1", "versionType": "custom"}], "packageName": "obs-service-download_url", "defaultStatus": "unaffected"}], "datePublic": "2024-07-11T14:21:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps", "supportingMedia": [{"type": "text/html", "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2024-10-16T13:42:46.559Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22033", "state": "PUBLISHED", "dateUpdated": "2024-10-16T14:07:57.318Z", "dateReserved": "2024-01-04T12:38:34.024Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2024-10-16T13:42:46.559Z", "assignerShortName": "suse"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OBS service obs-service-download_url was vulnerable to a command injection vulnerability. The attacker could provide a configuration to the service that allowed to execute command in later steps"}], "id": "CVE-2024-22033", "lastModified": "2024-10-16T16:38:14.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "meissner@suse.de", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "LOW", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "meissner@suse.de", "type": "Secondary"}]}, "published": "2024-10-16T14:15:05.280", "references": [{"source": "meissner@suse.de", "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22033"}], "sourceIdentifier": "meissner@suse.de", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "meissner@suse.de", "type": "Primary"}]}