Cobbler Project » Cobbler : Security Vulnerabilities, CVEs,
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
Max CVSS
9.1
EPSS Score
0.15%
Published
2022-03-11
Updated
2022-05-23
An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.
Max CVSS
7.1
EPSS Score
0.04%
Published
2022-02-20
Updated
2022-04-12
An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)
Max CVSS
7.8
EPSS Score
0.07%
Published
2022-02-19
Updated
2022-04-08
An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.
Max CVSS
5.9
EPSS Score
0.11%
Published
2022-02-20
Updated
2022-04-12
Cobbler before 3.3.0 allows authorization bypass for modification of settings.
Max CVSS
7.5
EPSS Score
0.08%
Published
2021-10-04
Updated
2021-10-12
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Max CVSS
7.5
EPSS Score
0.06%
Published
2021-10-04
Updated
2021-10-12
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
Max CVSS
9.8
EPSS Score
3.05%
Published
2021-10-04
Updated
2021-10-12
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
Max CVSS
9.8
EPSS Score
0.66%
Published
2018-08-09
Updated
2023-02-12
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.
Max CVSS
10.0
EPSS Score
0.33%
Published
2018-01-03
Updated
2018-01-17
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.
Max CVSS
6.1
EPSS Score
0.08%
Published
2018-08-22
Updated
2019-10-09
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.
Max CVSS
6.8
EPSS Score
0.81%
Published
2014-10-27
Updated
2014-10-29
11 vulnerabilities found