RSS   Podatności dla 'Cobbler'   RSS

2022-02-20
 
CVE-2021-45081

CWE-327
 
 
An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.

 
 
CVE-2021-45083

CWE-276
 
 
An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.

 
2021-10-04
 
CVE-2021-40323

CWE-94
 
 
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

 
 
CVE-2021-40324

CWE-434
 
 
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.

 
 
CVE-2021-40325

CWE-863
 
 
Cobbler before 3.3.0 allows authorization bypass for modification of settings.

 
2018-08-22
 
CVE-2016-9605

CWE-79
 
 
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.

 
2018-01-03
 
CVE-2017-1000469

CWE-20
 
 
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

 
2014-10-26
 
CVE-2011-4953

CWE-20
 
 
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

 

Copyright 2024, cxsecurity.com

 

Back to Top