rpm package
almalinux/cockpit-ws
pkg:rpm/almalinux/cockpit-ws
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4802 | Hig | 8.0 | < 356.2-1.el9_8 | 356.2-1.el9_8 | May 11, 2026 | A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacter | |
| CVE-2026-4631 | Cri | 9.8 | < 344-2.el9_7 | 344-2.el9_7 | Apr 7, 2026 | Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m | |
| CVE-2024-6126 | Low | 3.2 | < 323.1-1.el9_5 | 323.1-1.el9_5 | Jul 3, 2024 | A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. | |
| CVE-2024-2947 | Hig | 7.3 | < 310.4-1.el8_10 | 310.4-1.el8_10 | Mar 28, 2024 | A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. | |
| CVE-2021-3698 | — | < 264.1-1.el8 | 264.1-1.el8 | Mar 8, 2022 | A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) | ||
| CVE-2021-3660 | — | < 264.1-1.el8 | 264.1-1.el8 | Mar 7, 2022 | Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. |
- affected < 356.2-1.el9_8fixed 356.2-1.el9_8
A flaw was found in Cockpit. This vulnerability allows a remote attacker to achieve arbitrary command execution on the host by exploiting unsanitized user-controlled parameters within crafted links in the system logs user interface (UI). An attacker can inject shell metacharacter
- affected < 344-2.el9_7fixed 344-2.el9_7
Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects m
- affected < 323.1-1.el9_5fixed 323.1-1.el9_5
A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack.
- affected < 310.4-1.el8_10fixed 310.4-1.el8_10
A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer.
- CVE-2021-3698Mar 8, 2022affected < 264.1-1.el8fixed 264.1-1.el8
A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL)
- CVE-2021-3660Mar 7, 2022affected < 264.1-1.el8fixed 264.1-1.el8
Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks.