Cobbler Project Cobbler 2.8.5

CPE Details

Cobbler Project Cobbler 2.8.5
cobbler_project
cobbler
2.8.5
2021-10-13
12h07 +00:00
2021-10-13
12h49 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:cobbler_project:cobbler:2.8.5:*:*:*:*:*:*:*

Informations

Vendor

cobbler_project

Product

cobbler

Version

2.8.5

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-0860 2022-03-11 11h50 +00:00 Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.
9.1
Critical
CVE-2021-45083 2022-02-20 16h56 +00:00 An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.
7.1
High
CVE-2021-45081 2022-02-20 16h52 +00:00 An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.
5.9
Medium
CVE-2021-45082 2022-02-18 22h23 +00:00 An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)
7.8
High
CVE-2021-40325 2021-10-04 03h43 +00:00 Cobbler before 3.3.0 allows authorization bypass for modification of settings.
7.5
High
CVE-2021-40324 2021-10-04 03h39 +00:00 Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
7.5
High
CVE-2021-40323 2021-10-04 03h37 +00:00 Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.
9.8
Critical
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.