Cobbler Security Vulnerabilities and Issues — Cobbler CVE List

Lucene search

Cobbler ProjectCobbler

14 matches found

CVE•added 2022/02/19 12:15 a.m.•180 views

CVE-2021-45082

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

7.8CVSS7.5AI score0.00038EPSS

CVE•added 2018/08/09 8:29 p.m.•157 views

CVE-2018-10931

It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.

9.8CVSS9.4AI score0.67782EPSS

CVE•added 2018/01/03 8:29 p.m.•146 views

CVE-2017-1000469

Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

10CVSS9.6AI score0.01435EPSS

CVE•added 2022/03/11 1:15 p.m.•130 views

CVE-2022-0860

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

9.1CVSS8.7AI score0.00663EPSS

CVE•added 2021/10/04 6:15 a.m.•122 views

CVE-2021-40323

Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

9.8CVSS9.6AI score0.93927EPSS

CVE•added 2022/02/20 6:15 p.m.•119 views

CVE-2021-45083

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler ...

7.1CVSS6.7AI score0.00026EPSS

CVE•added 2014/10/27 1:55 a.m.•117 views

CVE-2011-4953

The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

6.8CVSS9.4AI score0.00706EPSS

CVE•added 2021/10/04 6:15 a.m.•106 views

CVE-2021-40325

Cobbler before 3.3.0 allows authorization bypass for modification of settings.

7.5CVSS8.4AI score0.00025EPSS

CVE•added 2021/10/04 6:15 a.m.•99 views

CVE-2021-40324

Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.

7.5CVSS8.5AI score0.03531EPSS

CVE•added 2022/02/20 6:15 p.m.•94 views

CVE-2021-45081

An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.

5.9CVSS5.6AI score0.00206EPSS

CVE•added 2024/11/18 5:15 p.m.•78 views

CVE-2024-47533

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. utils.get_shared_secret() always returns -1, which allows anyone to connect to cobbler...

9.8CVSS9.6AI score0.0029EPSS

CVE•added 2019/11/19 4:15 p.m.•50 views

CVE-2011-4952

cobbler: Web interface lacks CSRF protection when using Django framework

8.8CVSS8.6AI score0.00274EPSS

CVE•added 2018/08/22 9:29 p.m.•42 views

CVE-2016-9605

A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation.

6.1CVSS6.1AI score0.00305EPSS

CVE•added 2019/11/19 4:15 p.m.•38 views

CVE-2011-4954

cobbler has local privilege escalation via the use of insecure location for PYTHON_EGG_CACHE

7.8CVSS7.8AI score0.00132EPSS