VYPR

rpm package

almalinux/cockpit-system

pkg:rpm/almalinux/cockpit-system

Vulnerabilities (6)

  • CVE-2026-4802HigMay 11, 2026
    affected < 356.2-1.el9_8fixed 356.2-1.el9_8

    A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacter

  • CVE-2026-4631CriApr 7, 2026
    affected < 344-3.el10_1fixed 344-3.el10_1

    Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m

  • CVE-2024-6126LowJul 3, 2024
    affected < 323.1-1.el9_5fixed 323.1-1.el9_5

    A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.

  • CVE-2024-2947HigMar 28, 2024
    affected < 310.4-1.el8_10fixed 310.4-1.el8_10

    A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.

  • CVE-2021-3698Mar 8, 2022
    affected < 264.1-1.el8fixed 264.1-1.el8

    A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)

  • CVE-2021-3660Mar 7, 2022
    affected < 264.1-1.el8fixed 264.1-1.el8

    Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.