VYPR

rpm package

suse/cobbler&distro=SUSE Package Hub 15 SP2

pkg:rpm/suse/cobbler&distro=SUSE%20Package%20Hub%2015%20SP2

Vulnerabilities (6)

  • CVE-2018-1000226CriAug 20, 2018
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation,

  • CVE-2018-1000225MedAug 20, 2018
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th

  • CVE-2018-10931CriAug 9, 2018
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.

  • CVE-2017-1000469CriJan 3, 2018
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

  • CVE-2011-4953Oct 27, 2014
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

  • CVE-2012-2395Jun 16, 2012
    affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1

    Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.