Vulnerability Details : CVE-2012-2395
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Exploit prediction scoring system (EPSS) score for CVE-2012-2395
Probability of exploitation activity in the next 30 days: 2.10%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 88 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-2395
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2012-2395
-
https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
Bug #978999 “command injection on the host via the xmlrpc api” : Bugs : cobbler package : Ubuntu
-
https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
Merge pull request #164 from jimi1283/powerpipe · cobbler/cobbler@6d9167e · GitHubExploit;Patch
-
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
[security-announce] openSUSE-SU-2012:0655-1: important: update for cobbl
-
http://www.openwall.com/lists/oss-security/2012/05/23/4
oss-security - CVE request: cobbler command injection
-
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
[security-announce] SUSE-SU-2012:0814-1: important: Security update for
-
http://www.securityfocus.com/bid/53666
Cobbler Remote Command Injection Vulnerability
-
https://github.com/cobbler/cobbler/issues/141
command injection on the host via the xmlrpc api · Issue #141 · cobbler/cobbler · GitHub
-
http://www.openwall.com/lists/oss-security/2012/05/23/18
oss-security - Re: CVE request: cobbler command injection
Products affected by CVE-2012-2395
- cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*