Vulnerability Details : CVE-2015-0778
osc before 0.151.0 allows remote attackers to execute arbitrary commands via shell metacharacters in a _service file.
Products affected by CVE-2015-0778
- cpe:2.3:a:suse:opensuse_osc:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-0778
1.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-0778
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2015-0778
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-0778
-
http://www.securityfocus.com/bid/73114
openSUSE OSC 'osc/core.py' Command Injection Vulnerability
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00012.html
[security-announce] SUSE-SU-2015:0487-1: important: Security update forVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/154117.html
[SECURITY] Fedora 22 Update: osc-0.151.1-163.2.1.fc22Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00011.html
[security-announce] openSUSE-SU-2015:0486-1: important: Security updateVendor Advisory
-
https://bugzilla.suse.com/show_bug.cgi?id=901643
Bug 901643 – VUL-0: CVE-2015-0778: osc _service file shell injectionIssue Tracking
-
https://security.gentoo.org/glsa/201603-02
OSC: Shell command injection (GLSA 201603-02) — Gentoo security
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154267.html
[SECURITY] Fedora 21 Update: osc-0.151.1-163.2.1.fc21Third Party Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154257.html
[SECURITY] Fedora 20 Update: osc-0.151.1-163.2.1.fc20Third Party Advisory
Jump to