Product:

Cobbler

(Cobbler_project)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 11
Date Id Summary Products Score Patch Annotated
2021-10-04 CVE-2021-40323 Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. Cobbler 9.8
2021-10-04 CVE-2021-40324 Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. Cobbler 7.5
2021-10-04 CVE-2021-40325 Cobbler before 3.3.0 allows authorization bypass for modification of settings. Cobbler 7.5
2022-02-19 CVE-2021-45082 An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) Cobbler, Fedora, Backports, Factory, Linux_enterprise_server 7.8
2022-02-20 CVE-2021-45083 An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. Cobbler, Fedora 7.1
2022-02-20 CVE-2021-45081 An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. Cobbler 5.9
2022-03-11 CVE-2022-0860 Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. Cobbler, Fedora 9.1
2018-08-09 CVE-2018-10931 It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. Cobbler, Satellite 9.8
2018-08-22 CVE-2016-9605 A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation. Cobbler 6.1
2018-01-03 CVE-2017-1000469 Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. Cobbler 9.8