VYPR
← All advisories
High severityNVD Advisory· Published Feb 18, 2022· Updated Aug 4, 2024

CVE-2021-45082

CVE-2021-45082

Description

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cobbler before 3.3.1 has a template sanitization bypass allowing Cheetah code to import Python modules via the `#from` directive, enabling remote code execution.

Vulnerability

In Cobbler versions before 3.3.1, the file templar.py contains the function check_for_invalid_imports, which is designed to block insecure imports in Cheetah templates [3]. The function only checks for lines beginning with #import, but it fails to catch the alternative #from MODULE import ... syntax, which is valid Cheetah code [3]. This allows an attacker to bypass the import whitelist and import arbitrary Python modules, leading to potential code execution [3]. The affected versions include those in various SUSE codestreams: openSUSE Backports SLE-15-SP3 (3.1.2), openSUSE Backports SLE-15-SP4 (3.3.0), openSUSE Factory (3.3.0), SUSE SLE-11-SP3 (2.2.2), SUSE SLE-12 (2.6.6), and SUSE Manager 4.1 (3.0.0) [3].

Exploitation

An attacker with the ability to modify or upload a Cheetah template to the Cobbler server can craft a template using the #from syntax to import a malicious Python module [2][3]. The attacker must have local access to the system or privileges to write templates (e.g., by being a Cobbler admin or through some other file write mechanism) [2]. The exploit does not require user interaction beyond the attacker's actions, and the race window is not a factor; the import is executed when the template is rendered [3].

Impact

Successful exploitation allows an attacker to achieve arbitrary remote code execution (RCE) on the Cobbler server with the privileges of the Cobbler process [3]. This can lead to full compromise of the CIA triad (confidentiality, integrity, and availability), including information disclosure, file manipulation, and complete system takeover [2][3]. The CVSS v3.1 base score is 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact but requiring local access and high attack complexity [2].

Mitigation

Cobbler 3.3.1 is the first fixed version, released after the vulnerability was disclosed [2]. Upgrading to Cobbler 3.3.1 or later is the primary mitigation. Users on older branches should apply the relevant backported patch from their distribution (e.g., SUSE updates) [3]. No workarounds are documented in the available references; the only reliable fix is to update Cobbler. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. NVD - CVE-2021-45082
  2. 1193678 – (CVE-2021-45082) VUL-0: CVE-2021-45082: cobbler: incomplete template sanitization

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
cobblerPyPI
< 3.3.13.3.1

Affected products

5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.