rpm package
opensuse/cobbler&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/cobbler&distro=openSUSE%20Tumbleweed
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-47533 | Cri | 9.8 | < 3.3.7-1.1 | 3.3.7-1.1 | Nov 18, 2024 | Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyon | |
| CVE-2022-0860 | — | < 3.3.2.0+git.9044aa99-1.1 | 3.3.2.0+git.9044aa99-1.1 | Mar 11, 2022 | Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | ||
| CVE-2021-45082 | — | < 3.3.1.0+git.f5b0599a-1.1 | 3.3.1.0+git.f5b0599a-1.1 | Feb 18, 2022 | An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | ||
| CVE-2016-9605 | Med | 6.1 | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Aug 22, 2018 | A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation. | |
| CVE-2018-1000226 | Cri | 9.8 | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Aug 20, 2018 | Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, | |
| CVE-2018-1000225 | Med | 6.1 | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Aug 20, 2018 | Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th | |
| CVE-2018-10931 | Cri | 9.8 | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Aug 9, 2018 | It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. | |
| CVE-2017-1000469 | Cri | 9.8 | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Jan 3, 2018 | Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. | |
| CVE-2011-4953 | — | < 3.2.1.336+git.5639a3af-1.1 | 3.2.1.336+git.5639a3af-1.1 | Oct 27, 2014 | The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | ||
| CVE-2014-3225 | — | < 2.6.6-4.2 | 2.6.6-4.2 | May 14, 2014 | Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile. | ||
| CVE-2012-2395 | — | < 2.6.6-4.2 | 2.6.6-4.2 | Jun 16, 2012 | Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API. |
- affected < 3.3.7-1.1fixed 3.3.7-1.1
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyon
- CVE-2022-0860Mar 11, 2022affected < 3.3.2.0+git.9044aa99-1.1fixed 3.3.2.0+git.9044aa99-1.1
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
- CVE-2021-45082Feb 18, 2022affected < 3.3.1.0+git.f5b0599a-1.1fixed 3.3.1.0+git.f5b0599a-1.1
An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)
- affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.
- affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation,
- affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th
- affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
- affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.
- CVE-2011-4953Oct 27, 2014affected < 3.2.1.336+git.5639a3af-1.1fixed 3.2.1.336+git.5639a3af-1.1
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.
- CVE-2014-3225May 14, 2014affected < 2.6.6-4.2fixed 2.6.6-4.2
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.
- CVE-2012-2395Jun 16, 2012affected < 2.6.6-4.2fixed 2.6.6-4.2
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.