cobbler_project 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk input validation and vendor risk cross-site scripting などに関し、一部は vendor impact unexpected behavior を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2022-0860 | Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. | [email protected] | 9.1 | 0.74% | 2022-03-11 | 2024-11-21 |
| CVE-2021-45083 | An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password. | [email protected] | 7.1 | 0.03% | 2022-02-20 | 2024-11-21 |
| CVE-2021-45081 | An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS. | [email protected] | 5.9 | 0.21% | 2022-02-20 | 2024-11-21 |
| CVE-2021-45082 | An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.) | [email protected] | 7.8 | 0.04% | 2022-02-19 | 2024-11-21 |
| CVE-2021-40325 | Cobbler before 3.3.0 allows authorization bypass for modification of settings. | [email protected] | 7.5 | 0.02% | 2021-10-04 | 2024-11-21 |
| CVE-2021-40324 | Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. | [email protected] | 7.5 | 2.39% | 2021-10-04 | 2024-11-21 |
| CVE-2021-40323 | Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | [email protected] | 9.8 | 93.17% | 2021-10-04 | 2024-11-21 |
| CVE-2016-9605 | A flaw was found in cobbler software component version 2.6.11-1. It suffers from an invalid parameter validation vulnerability, leading the arbitrary file reading. The flaw is triggered by navigating to a vulnerable URL via cobbler-web on a default installation. | [email protected] | 6.1 | 0.30% | 2018-08-22 | 2024-11-21 |
| CVE-2018-10931 | It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon. | [email protected] | 9.8 | 36.05% | 2018-08-09 | 2024-11-21 |
| CVE-2017-1000469 | Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user. | [email protected] | 9.8 | 0.88% | 2018-01-03 | 2024-11-21 |
| CVE-2011-4953 | The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | [email protected] | 6.8 | 0.67% | 2014-10-27 | 2026-05-06 |