rpm package
almalinux/cockpit-packagekit
pkg:rpm/almalinux/cockpit-packagekit
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4802 | Hig | 8.0 | < 356.2-1.el9_8 | 356.2-1.el9_8 | May 11, 2026 | A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacter | |
| CVE-2026-4631 | Cri | 9.8 | < 344-3.el10_1 | 344-3.el10_1 | Apr 7, 2026 | Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m | |
| CVE-2024-6126 | Low | 3.2 | < 323.1-1.el9_5 | 323.1-1.el9_5 | Jul 3, 2024 | A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. | |
| CVE-2024-2947 | Hig | 7.3 | < 311.2-1.el9_4 | 311.2-1.el9_4 | Mar 28, 2024 | A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. |
- affected < 356.2-1.el9_8fixed 356.2-1.el9_8
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacter
- affected < 344-3.el10_1fixed 344-3.el10_1
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m
- affected < 323.1-1.el9_5fixed 323.1-1.el9_5
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
- affected < 311.2-1.el9_4fixed 311.2-1.el9_4
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.