Filtered by vendor Cobbler Project
Subscriptions
Filtered by product Cobbler
Subscriptions
Total
12 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-0860 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2024-11-21 | 9.1 Critical |
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | ||||
CVE-2021-45083 | 2 Cobbler Project, Fedoraproject | 2 Cobbler, Fedora | 2024-11-21 | 7.1 High |
An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. | ||||
CVE-2021-45082 | 4 Cobbler Project, Fedoraproject, Opensuse and 1 more | 5 Cobbler, Fedora, Backports and 2 more | 2024-11-21 | 7.8 High |
An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | ||||
CVE-2021-45081 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 5.9 Medium |
An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. | ||||
CVE-2021-40325 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 7.5 High |
Cobbler before 3.3.0 allows authorization bypass for modification of settings. | ||||
CVE-2021-40324 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 7.5 High |
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | ||||
CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | 9.8 Critical |
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | ||||
CVE-2018-10931 | 2 Cobbler Project, Redhat | 3 Cobbler, Network Satellite, Satellite | 2024-11-21 | N/A |
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. | ||||
CVE-2017-1000469 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | N/A |
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. | ||||
CVE-2016-9605 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | N/A |
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation. | ||||
CVE-2011-4953 | 1 Cobbler Project | 1 Cobbler | 2024-11-21 | N/A |
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | ||||
CVE-2024-47533 | 1 Cobbler Project | 1 Cobbler | 2024-11-20 | 9.8 Critical |
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue. |
Page 1 of 1.