Started by upstream project "gerrit-pysim" build number 3,0593059gerrit-pysimjob/gerrit-pysim/COMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42625GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER1GERRIT_PATCHSET_REVISION33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6GERRIT_PATCHSET_UPLOADER_NAMEdexterGERRIT_PORT29418GERRIT_PROJECTpysimGERRIT_REFSPECrefs/changes/25/42625/1GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/pysimPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim/3059/PROJECT_NAMEpysimBRANCH_CImaster19859041985904009866869866861.0199151919915190297820556075607<_ _class='hudson.plugins.git.util.Build'>2772167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**305233d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6masterssh://jenkins@gerrit.osmocom.org:29418/pysimhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/3052/artifacthttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/changeshttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/3052/https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/3052/testReportfalse#30529866861081954gerrit-pysim-build #30523052falsefalse305289966SUCCESS1776332547781https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/3052/- osmo-smdpp.py33d00b34a7fd22858ae6614cf7e5164cc1fe9ad61776254248000https://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaier@sysmocom.deosmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
2026-04-15 13:57:28 +020033d00b34a7fd22858ae6614cf7e5164cc1fe9ad6osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)editosmo-smdpp.py
githttps://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaierCOMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42625GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER1GERRIT_PATCHSET_REVISION33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6GERRIT_PATCHSET_UPLOADER_NAMEdexterGERRIT_PORT29418GERRIT_PROJECTpysimGERRIT_REFSPECrefs/changes/25/42625/1GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/pysimPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim/3059/PROJECT_NAMEpysimBRANCH_CImasterStarted by upstream project "gerrit-pysim-build" build number 3,0523052gerrit-pysim-buildjob/gerrit-pysim-build/000010703107031.0000<_ _class='hudson.plugins.git.util.Build'>2772167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**305233d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6masterssh://jenkins@gerrit.osmocom.org:29418/pysimfalse#3052107039549gerrit-pysim-build » distcheck,a1=default,a3=default,a4=default,osmocom-gerrit #30523052falsefalse305289997SUCCESS1776332547781https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/JOB_TYPE=distcheck,a1=default,a3=default,a4=default,label=osmocom-gerrit/3052/build4-deb12build-ansible- osmo-smdpp.py33d00b34a7fd22858ae6614cf7e5164cc1fe9ad61776254248000https://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaier@sysmocom.deosmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
2026-04-15 13:57:28 +020033d00b34a7fd22858ae6614cf7e5164cc1fe9ad6osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)editosmo-smdpp.py
githttps://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.deCOMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42625GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER1GERRIT_PATCHSET_REVISION33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6GERRIT_PATCHSET_UPLOADER_NAMEdexterGERRIT_PORT29418GERRIT_PROJECTpysimGERRIT_REFSPECrefs/changes/25/42625/1GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/pysimPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim/3059/PROJECT_NAMEpysimBRANCH_CImasterStarted by upstream project "gerrit-pysim-build" build number 3,0523052gerrit-pysim-buildjob/gerrit-pysim-build/001124746247461.0000<_ _class='hudson.plugins.git.util.Build'>2772167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**305233d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6masterssh://jenkins@gerrit.osmocom.org:29418/pysimfalse#30522474623692gerrit-pysim-build » docs,a1=default,a3=default,a4=default,osmocom-gerrit #30523052falsefalse305289999SUCCESS1776332547781https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/JOB_TYPE=docs,a1=default,a3=default,a4=default,label=osmocom-gerrit/3052/build5-deb12build-ansible- osmo-smdpp.py33d00b34a7fd22858ae6614cf7e5164cc1fe9ad61776254248000https://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaier@sysmocom.deosmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
2026-04-15 13:57:28 +020033d00b34a7fd22858ae6614cf7e5164cc1fe9ad6osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)editosmo-smdpp.py
githttps://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.deCOMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42625GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER1GERRIT_PATCHSET_REVISION33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6GERRIT_PATCHSET_UPLOADER_NAMEdexterGERRIT_PORT29418GERRIT_PROJECTpysimGERRIT_REFSPECrefs/changes/25/42625/1GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/pysimPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim/3059/PROJECT_NAMEpysimBRANCH_CImasterStarted by upstream project "gerrit-pysim-build" build number 3,0523052gerrit-pysim-buildjob/gerrit-pysim-build/001111457114571.0000<_ _class='hudson.plugins.git.util.Build'>2772167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**305233d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6masterssh://jenkins@gerrit.osmocom.org:29418/pysimfalse#30521145711532gerrit-pysim-build » pylint,a1=default,a3=default,a4=default,osmocom-gerrit #30523052falsefalse305289998SUCCESS1776332547781https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/JOB_TYPE=pylint,a1=default,a3=default,a4=default,label=osmocom-gerrit/3052/build5-deb12build-ansible- osmo-smdpp.py33d00b34a7fd22858ae6614cf7e5164cc1fe9ad61776254248000https://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaier@sysmocom.deosmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
2026-04-15 13:57:28 +020033d00b34a7fd22858ae6614cf7e5164cc1fe9ad6osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)editosmo-smdpp.py
githttps://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.deCOMMENT_TYPEDISTROGERRIT_BRANCHmasterGERRIT_CHANGE_NUMBER42625GERRIT_HOSTgerrit.osmocom.orgGERRIT_PATCHSET_NUMBER1GERRIT_PATCHSET_REVISION33d00b34a7fd22858ae6614cf7e5164cc1fe9ad6GERRIT_PATCHSET_UPLOADER_NAMEdexterGERRIT_PORT29418GERRIT_PROJECTpysimGERRIT_REFSPECrefs/changes/25/42625/1GERRIT_REPO_URLssh://jenkins@gerrit.osmocom.org:29418/pysimPIPELINE_BUILD_URLhttps://jenkins.osmocom.org/jenkins/job/gerrit-pysim/3059/PROJECT_NAMEpysimBRANCH_CImasterStarted by upstream project "gerrit-pysim-build" build number 3,0523052gerrit-pysim-buildjob/gerrit-pysim-build/00009859549859541.0000<_ _class='hudson.plugins.git.util.Build'>2772167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**167d6aca365b64c84b2485a70cb43bbf3a4e4f2d167d6aca365b64c84b2485a70cb43bbf3a4e4f2d**305233d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6master33d00b34a7fd22858ae6614cf7e5164cc1fe9ad633d00b34a7fd22858ae6614cf7e5164cc1fe9ad6masterssh://jenkins@gerrit.osmocom.org:29418/pysimfalse#3052985954986571gerrit-pysim-build » test,a1=default,a3=default,a4=default,simtester #30523052falsefalse305290000SUCCESS1776332547781https://jenkins.osmocom.org/jenkins/job/gerrit-pysim-build/JOB_TYPE=test,a1=default,a3=default,a4=default,label=simtester/3052/simtester- osmo-smdpp.py33d00b34a7fd22858ae6614cf7e5164cc1fe9ad61776254248000https://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.depmaier@sysmocom.deosmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
2026-04-15 13:57:28 +020033d00b34a7fd22858ae6614cf7e5164cc1fe9ad6osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)editosmo-smdpp.py
githttps://jenkins.osmocom.org/jenkins/user/pmaierpmaier@sysmocom.de