VYPR

rpm package

opensuse/cobbler&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/cobbler&distro=openSUSE%20Tumbleweed

Vulnerabilities (11)

  • CVE-2024-47533CriNov 18, 2024
    affected < 3.3.7-1.1fixed 3.3.7-1.1

    Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyon

  • CVE-2022-0860Mar 11, 2022
    affected < 3.3.2.0+git.9044aa99-1.1fixed 3.3.2.0+git.9044aa99-1.1

    Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

  • CVE-2021-45082Feb 18, 2022
    affected < 3.3.1.0+git.f5b0599a-1.1fixed 3.3.1.0+git.f5b0599a-1.1

    An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

  • CVE-2016-9605MedAug 22, 2018
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.

  • CVE-2018-1000226CriAug 20, 2018
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation,

  • CVE-2018-1000225MedAug 20, 2018
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th

  • CVE-2018-10931CriAug 9, 2018
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.

  • CVE-2017-1000469CriJan 3, 2018
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

  • CVE-2011-4953Oct 27, 2014
    affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1

    The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

  • CVE-2014-3225May 14, 2014
    affected < 2.6.6-4.2fixed 2.6.6-4.2

    Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.

  • CVE-2012-2395Jun 16, 2012
    affected < 2.6.6-4.2fixed 2.6.6-4.2

    Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.