CVE-2018-10931
Description
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cobbler 2.6.x exposes all CobblerXMLRPCInterface methods over unauthenticated XMLRPC, allowing remote attackers to gain high privileges and upload files.
Vulnerability
Cobbler versions 2.6.x expose all functions from the CobblerXMLRPCInterface class over the XMLRPC endpoint (/cobbler_api). The implementation uses Python's SimpleXMLRPCServer with register_instance, which makes every method of that class accessible remotely without authentication [2]. This includes over 195 methods, some of which were intended to be private (e.g., _new_event, _set_task_state, _log) [2]. The design flaw means that no access token is validated for many endpoints, effectively rendering the API unauthenticated [2].
Exploitation
A remote, unauthenticated attacker can connect to the exposed XMLRPC endpoint and call any method from the CobblerXMLRPCInterface class [1][2]. No prior authentication or user interaction is required. The attacker can directly invoke methods that modify settings, upload files, or perform privileged operations. For example, the modify_setting API endpoint lacked proper token checks, which a pull request later addressed [3]. The attacker only needs network access to the Cobbler server (typically on port 80/443 or a custom port) [2].
Impact
Successful exploitation allows the attacker to gain high privileges within Cobbler, potentially equivalent to an administrator [1][4]. The attacker can upload files to arbitrary locations on the server file system, in the context of the Cobbler daemon [1]. This could lead to remote code execution, unauthorized configuration changes, or complete compromise of the Cobbler server and its managed infrastructure.
Mitigation
Red Hat released advisory RHSA-2018:2372, which provides updated packages for Red Hat Enterprise Linux and other affected distributions [4]. Users should upgrade to the patched version of Cobbler. For environments where immediate patching is not possible, restrict network access to the /cobbler_api endpoint using a firewall or reverse proxy to limit exposure to trusted networks only [2]. The fix ensures proper access token validation on critical API methods such as modify_setting [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cobblerPyPI | >= 2.6.0, < 3.0.0 | 3.0.0 |
Affected products
13- ghsa-coords12 versionspkg:pypi/cobblerpkg:rpm/opensuse/cobbler&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/cobbler&distro=openSUSE%20Tumbleweedpkg:rpm/suse/cobbler&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/cobbler&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-CLIENT-TOOLSpkg:rpm/suse/cobbler&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-CLIENT-TOOLSpkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Client%20Tools%2012pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.0pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.1pkg:rpm/suse/cobbler&distro=SUSE%20Manager%20Server%203.2pkg:rpm/suse/cobbler&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/cobbler&distro=SUSE%20Package%20Hub%2015%20SP2
>= 2.6.0, < 3.0.0+ 11 more
- (no CPE)range: >= 2.6.0, < 3.0.0
- (no CPE)range: < 3.1.2-lp152.6.3.1
- (no CPE)range: < 3.2.1.336+git.5639a3af-1.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.2.2-0.68.6.1
- (no CPE)range: < 2.2.2-0.68.6.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 2.6.6-5.17.1
- (no CPE)range: < 2.6.6-6.7.1
- (no CPE)range: < 2.6.6-49.14.1
- (no CPE)range: < 3.1.2-bp152.4.3.1
- The Cobbler Project/cobblerv5Range: 2.6.x
Patches
11b91a3d3ac87Check access token when calling 'modify_setting' API endpoint
1 file changed · +2 −0
cobbler/remote.py+2 −0 modified@@ -902,6 +902,8 @@ def modify_file(self, object_id, attribute, arg, token): return self.modify_item("file", object_id, attribute, arg, token) def modify_setting(self, setting_name, value, token): + self._log("modify_setting(%s)" % setting_name, token=token) + self.check_access(token, "modify_setting") try: self.api.settings().set(setting_name, value) return 0
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- access.redhat.com/errata/RHSA-2018:2372ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-8787-63px-3m23ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SD/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJA/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-10931ghsaADVISORY
- access.redhat.com/security/cve/CVE-2018-10931ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/cobbler/cobbler/commit/1b91a3d3ac87c31d9dac2307513feb2aa49620a6ghsaWEB
- github.com/cobbler/cobbler/issues/1916ghsaWEB
- github.com/cobbler/cobbler/pull/1921ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5P5Q4ACIVZ5D4KSUDLGRTOKGGB4U42SDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMWK5KCCZXOGOYNR2H6BWDSABTQ5NYJAghsaWEB
- movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-apighsaWEB
News mentions
0No linked articles in our index yet.