CVE-2022-21949: Multiple XXE vulnerabilities in OBS
First published: Tue May 03 2022(Updated: )
A Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service allows remote attackers to reference external entities in certain operations. This can be used to gain information from the server that can be abused to escalate to Admin privileges on OBS. This issue affects: SUSE Open Build Service Open Build Service versions prior to 2.10.13.
Credit: meissner@suse.de
| Affected Software | Affected Version | How to fix |
|---|---|---|
| openSUSE Open Build Service | <2.10.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-21949?
CVE-2022-21949 is an Improper Restriction of XML External Entity Reference vulnerability in SUSE Open Build Service that allows remote attackers to reference external entities in certain operations.
How does CVE-2022-21949 affect SUSE Open Build Service?
CVE-2022-21949 affects SUSE Open Build Service by allowing remote attackers to reference external entities, potentially leading to information leakage and escalation of privileges.
What is the severity of CVE-2022-21949?
The severity of CVE-2022-21949 is critical, with a CVSS score of 8.8.
Which versions of SUSE Open Build Service are affected by CVE-2022-21949?
Versions up to and excluding 2.10.13 of SUSE Open Build Service are affected by CVE-2022-21949.
Is there a fix available for CVE-2022-21949?
Yes, updating to a version of SUSE Open Build Service that is later than 2.10.13 will fix the vulnerability.
- collector/nvd-index
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- vendor/opensuse
- canonical/opensuse open build service