CVE-2017-1000469
https://notcve.org/view.php?id=CVE-2017-1000469
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. Cobbler, en versiones hasta la 2.8.2, es vulnerable a inyección de comandos en el componente "add repo". Esto resulta en la ejecución de código arbitrario como usuario root. • https://github.com/cobbler/cobbler/issues/1845 • CWE-20: Improper Input Validation •
CVE-2011-4953
https://notcve.org/view.php?id=CVE-2011-4953
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. La función set_mgmt_parameters en item.py en cobbler anterior a 2.2.2 permite a atacantes dependientes de contexo ejecutar código arbitrario a través de vectores relacionados con el uso de la función yaml.load en lugar de la función yaml.safe_load, tal y como fue demostrado mediante el uso de Puppet. • http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00019.html https://bugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858883 https://bugzilla.novell.com/show_bug.cgi?id=757062 • CWE-20: Improper Input Validation •
CVE-2014-3225 – Cobbler 2.4.x < 2.6.x - Local File Inclusion
https://notcve.org/view.php?id=CVE-2014-3225
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile. Vulnerabilidad de recorrido de directorio absoluto en la interfaz web en Cobbler 2.4.x hasta 2.6.x permite a usuarios remotos autenticados leer archivos arbitrarios a través del campo Kickstart en un perfil. Cobbler versions 2.6.0 and below suffer from an arbitrary file read vulnerability. • https://www.exploit-db.com/exploits/33252 http://packetstormsecurity.com/files/126553/Cobbler-Local-File-Inclusion.html http://seclists.org/oss-sec/2014/q2/273 http://seclists.org/oss-sec/2014/q2/274 http://www.exploit-db.com/exploits/33252 http://www.osvdb.org/106759 http://www.securityfocus.com/archive/1/532094/100/0/threaded http://www.securityfocus.com/bid/67277 https://github.com/cobbler/cobbler/issues/939 https://www.youtube.com/watch?v=vuBaoQUFEYQ&feature= • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2012-2395 – cobbler: command injection flaw in the power management XML-RPC API
https://notcve.org/view.php?id=CVE-2012-2395
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API. Vulnerabilidad de lista negra incompleta en action_power.py de Cobbler 2.2.0. Permite a atacantes remotos ejecutar comandos arbitrarios a través de meta-caracteres de shell en los campos (1) username o (2) password del método power_system method del API xmlrpc. • http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html http://www.openwall.com/lists/oss-security/2012/05/23/18 http://www.openwall.com/lists/oss-security/2012/05/23/4 http://www.osvdb.org/82458 http://www.securityfocus.com/bid/53666 https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999 https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf https://gi • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2010-4512
https://notcve.org/view.php?id=CVE-2010-4512
Cobbler before 2.0.4 uses an incorrect umask value, which allows local users to have an unspecified impact by leveraging world writable permissions for files and directories. Cobbler en versiones anteriores a la 2.0.4 usa un valor de umask incorrecto, lo que permite a usuarios locales tener un impacto no especificado aprovechando permisos de escritura para todos en ficheros y directorios. • http://people.fedoraproject.org/~shenson/cobbler/cobbler-2.0.8.tar.gz http://secunia.com/advisories/42602 https://bugzilla.redhat.com/show_bug.cgi?id=554567 • CWE-264: Permissions, Privileges, and Access Controls •