CVE-2024-22034 - Vulnerability Details - OpenCVE

Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-19638	Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00026}`	epss `{'score': 0.00029}`

Wed, 16 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 16 Oct 2024 14:00:00 +0000

Type	Values Removed	Values Added
Description		Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim
Title		Crafted projects can overwrite special files in the .osc config directory
References		https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: suse

Published: 2024-10-16T13:46:08.416Z

Updated: 2024-10-31T13:34:34.435Z

Reserved: 2024-01-04T12:38:34.024Z

Link: CVE-2024-22034

Vulnrichment

Updated: 2024-10-16T14:01:24.508Z

NVD

Status : Awaiting Analysis

Published: 2024-10-16T14:15:05.577

Modified: 2024-10-16T16:38:14.557

Link: CVE-2024-22034

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

No weakness.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22034", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "state": "PUBLISHED", "assignerShortName": "suse", "dateReserved": "2024-01-04T12:38:34.024Z", "datePublished": "2024-10-16T13:46:08.416Z", "dateUpdated": "2024-10-31T13:34:34.435Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Desktop 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise High Performance Computing 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Module for Development Tools 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Desktop 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise High Performance Computing 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Module for Development Tools 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server 12 SP5", "vendor": "SUSE", "versions": [{"lessThan": "0.183.0-15.18.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Server for SAP Applications 12 SP5", "vendor": "SUSE", "versions": [{"lessThan": "0.183.0-15.18.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "SUSE Linux Enterprise Software Development Kit 12 SP5", "vendor": "SUSE", "versions": [{"lessThan": "0.183.0-15.18.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "openSUSE Leap 15.5", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "openSUSE Leap 15.6", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-150400.10.6.1", "status": "affected", "version": "?", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "packageName": "osc", "product": "openSUSE Tumbleweed", "vendor": "SUSE", "versions": [{"lessThan": "1.9.0-1.1", "status": "affected", "version": "?", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Mach of SUSE"}], "datePublic": "2024-08-19T11:42:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim<br>"}], "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2024-10-16T13:46:08.416Z"}, "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034"}], "source": {"discovery": "INTERNAL"}, "title": "Crafted projects can overwrite special files in the .osc config directory", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-16T14:01:15.655473Z", "id": "CVE-2024-22034", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-31T13:34:34.435Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-16T14:01:15.655473Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-16T14:01:24.508Z"}}], "cna": {"title": "Crafted projects can overwrite special files in the .osc config directory", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Daniel Mach of SUSE"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SUSE", "product": "SUSE Linux Enterprise Desktop 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise High Performance Computing 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Module for Development Tools 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Desktop 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise High Performance Computing 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Module for Development Tools 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server for SAP Applications 15 SP6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server 12 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "0.183.0-15.18.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Server for SAP Applications 12 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "0.183.0-15.18.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "SUSE Linux Enterprise Software Development Kit 12 SP5", "versions": [{"status": "affected", "version": "?", "lessThan": "0.183.0-15.18.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Leap 15.5", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Leap 15.6", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-150400.10.6.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}, {"vendor": "SUSE", "product": "openSUSE Tumbleweed", "versions": [{"status": "affected", "version": "?", "lessThan": "1.9.0-1.1", "versionType": "custom"}], "packageName": "osc", "defaultStatus": "unaffected"}], "datePublic": "2024-08-19T11:42:00.000Z", "references": [{"url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2024-22034"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim", "supportingMedia": [{"type": "text/html", "value": "Attackers could put the special files in .osc into the actual package sources (e.g. _apiurl). This allows the attacker to change the configuration of osc for the victim<br>", "base64": false}]}], "providerMetadata": {"orgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "shortName": "suse", "dateUpdated": "2024-10-16T13:46:08.416Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22034", "state": "PUBLISHED", "dateUpdated": "2024-10-31T13:34:34.435Z", "dateReserved": "2024-01-04T12:38:34.024Z", "assignerOrgId": "404e59f5-483d-4b8a-8e7a-e67604dd8afb", "datePublished": "2024-10-16T13:46:08.416Z", "assignerShortName": "suse"}, "dataVersion": "5.1"}