CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47533 – Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes
https://notcve.org/view.php?id=CVE-2024-47533
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue. • https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0 https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 1CVE-2022-0860 – Improper Authorization in cobbler/cobbler
https://notcve.org/view.php?id=CVE-2022-0860
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. Una Autorización Inapropiada en el repositorio GitHub cobbler/cobbler versiones anteriores a 3.3.2 • https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45083
https://notcve.org/view.php?id=CVE-2021-45083
An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. • https://bugzilla.suse.com/show_bug.cgi?id=1193671 https://github.com/cobbler/cobbler/releases https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE https://www.openwall.com/lists/oss-security/2022/02/18/3 • CWE-276: Incorrect Default Permissions •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-45081
https://notcve.org/view.php?id=CVE-2021-45081
An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. Se ha detectado un problema en Cobbler versiones hasta 3.3.1. Las rutinas en varios archivos usan el protocolo HTTP en lugar del más seguro HTTPS • http://www.openwall.com/lists/oss-security/2022/02/18/3 https://bugzilla.suse.com/show_bug.cgi?id=1193683 https://github.com/cobbler/cobbler/releases • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 1CVE-2021-45082
https://notcve.org/view.php?id=CVE-2021-45082
An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) Se ha detectado un problema en Cobbler versiones hasta 3.3.0. En el archivo templar.py, la función check_for_invalid_imports puede permitir que el código Cheetah importe módulos de Python por medio de la subcadena "#from MODULE import". • https://bugzilla.suse.com/show_bug.cgi?id=1193678 https://github.com/cobbler/cobbler/releases https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •