CPE Details
Cobbler Project Cobbler 2.8.5
2.8.5
2021-10-13
12h07 +00:00
12h07 +00:00
2021-10-13
12h49 +00:00
12h49 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:cobbler_project:cobbler:2.8.5:*:*:*:*:*:*:*
Informations
Vendor
cobbler_projectProduct
cobblerVersion
2.8.5Related CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
| Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | 9.1 |
Critical |
||
| An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. | 7.1 |
High |
||
| An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. | 5.9 |
Medium |
||
| An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | 7.8 |
High |
||
| Cobbler before 3.3.0 allows authorization bypass for modification of settings. | 7.5 |
High |
||
| Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | 7.5 |
High |
||
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | 9.8 |
Critical |
2025©
tesweb SA
