CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-47533 – Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes
https://notcve.org/view.php?id=CVE-2024-47533
18 Nov 2024 — Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue. • https://github.com/zetraxz/CVE-2024-47533 • CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 1%CPEs: 4EXPL: 1CVE-2022-0860 – Improper Authorization in cobbler/cobbler
https://notcve.org/view.php?id=CVE-2022-0860
11 Mar 2022 — Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. Una Autorización Inapropiada en el repositorio GitHub cobbler/cobbler versiones anteriores a 3.3.2 It was discovered that Cobbler did not properly handle user input, which could result in an absolute path traversal. An attacker could possibly use this issue to read arbitrary files. It was discovered that Cobbler did not properly handle user input, which could result in command injection. An attacker could possibly use this issue to ... • https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-45083 – Ubuntu Security Notice USN-6475-1
https://notcve.org/view.php?id=CVE-2021-45083
20 Feb 2022 — An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. • https://bugzilla.suse.com/show_bug.cgi?id=1193671 • CWE-276: Incorrect Default Permissions •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2021-45081
https://notcve.org/view.php?id=CVE-2021-45081
20 Feb 2022 — An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. Se ha detectado un problema en Cobbler versiones hasta 3.3.1. Las rutinas en varios archivos usan el protocolo HTTP en lugar del más seguro HTTPS • http://www.openwall.com/lists/oss-security/2022/02/18/3 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 11EXPL: 1CVE-2021-45082 – Ubuntu Security Notice USN-6475-1
https://notcve.org/view.php?id=CVE-2021-45082
18 Feb 2022 — An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) Se ha detectado un problema en Cobbler versiones hasta 3.3.0. En el archivo templar.py, la función check_for_invalid_imports puede permitir que el código Cheetah importe módulos de Python por medio de la subcadena "#from MODULE import". • https://bugzilla.suse.com/show_bug.cgi?id=1193678 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40325
https://notcve.org/view.php?id=CVE-2021-40325
04 Oct 2021 — Cobbler before 3.3.0 allows authorization bypass for modification of settings. Cobbler versiones anteriores a 3.3.0, permite omitir una autorización para modificar la configuración • https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 0CVE-2021-40324
https://notcve.org/view.php?id=CVE-2021-40324
04 Oct 2021 — Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. Cobbler versiones anteriores a 3.3.0, permite operaciones de escritura de archivos arbitrarios por medio de la función upload_log_data • https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 94%CPEs: 1EXPL: 0CVE-2021-40323
https://notcve.org/view.php?id=CVE-2021-40323
04 Oct 2021 — Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. Cobbler versiones anteriores a 3.3.0, permite un envenenamiento de registros, y la resultante Ejecución de Código Remota , por medio de un método XMLRPC que se registra en el archivo de registro para la inyección de plantillas • https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a • CWE-94: Improper Control of Generation of Code ('Code Injection') •