- Description
- An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in libzypp-plugin-appdata of SUSE Linux Enterprise Server for SAP 15-SP3; openSUSE Leap 15.4 allows attackers that can trick users to use specially crafted REPO_ALIAS, REPO_TYPE or REPO_METADATA_PATH settings to execute code as root. This issue affects: SUSE Linux Enterprise Server for SAP 15-SP3 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426. openSUSE Leap 15.4 libzypp-plugin-appdata versions prior to 1.0.1+git.20180426.
- Source
- meissner@suse.de
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 7.8
- Impact score
- 5.9
- Exploitability score
- 1.8
- Vector string
- CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- meissner@suse.de
- CWE-78
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:15.4:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "BE80EB04-7F9D-4C0B-85DB-4A13DEACB5E4"
},
{
"criteria": "cpe:2.3:o:suse:suse_linux_enterprise_server:15:sp3:*:*:*:sap:*:*",
"vulnerable": false,
"matchCriteriaId": "107443F7-75CB-478B-B79A-EDD6582530DD"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:libzypp-plugin-appdata:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "231CBDA6-33BA-44D6-81AF-B62C47F4A261",
"versionEndExcluding": "1.0.1\\+git.20180426"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]