rpm package
suse/cobbler&distro=SUSE Package Hub 15 SP2
pkg:rpm/suse/cobbler&distro=SUSE%20Package%20Hub%2015%20SP2
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1000226 | Cri | 9.8 | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Aug 20, 2018 | Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, | |
| CVE-2018-1000225 | Med | 6.1 | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Aug 20, 2018 | Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th | |
| CVE-2018-10931 | Cri | 9.8 | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Aug 9, 2018 | It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. | |
| CVE-2017-1000469 | Cri | 9.8 | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Jan 3, 2018 | Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. | |
| CVE-2011-4953 | — | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Oct 27, 2014 | The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | ||
| CVE-2012-2395 | — | < 3.1.2-bp152.4.3.1 | 3.1.2-bp152.4.3.1 | Jun 16, 2012 | Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API. |
- affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation,
- affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Cross Site Scripting (XSS) vulnerability in cobbler-web that can result in Privilege escalation to admin.. Th
- affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
- affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.
- CVE-2011-4953Oct 27, 2014affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.
- CVE-2012-2395Jun 16, 2012affected < 3.1.2-bp152.4.3.1fixed 3.1.2-bp152.4.3.1
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.