CVE-2017-5188

Description

The bs_worker code in open build service before 20170320 followed relative symlinks, allowing reading of files outside of the package source directory during build, allowing leakage of private information.

How to fix CVE-2017-5188

To remediate CVE-2017-5188, upgrade the affected package to a fixed version below.

Debian/open-build-service—upgrade to 2.7.4-3 or later

Is CVE-2017-5188 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.7.4-3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-5188