cobbler@3.2.2 vulnerabilities

Network Boot and Update Server

latest version

3.3.7
first published

4 years ago
latest version published

5 days ago
licenses detected
- GPL-2.0
  [3.1.2,)
View cobbler package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the cobbler package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
C Improper Authentication cobbler is a network install server. Affected versions of this package are vulnerable to Improper Authentication due to the `utils.get_shared_secret` function. An attacker can gain full control of the server by connecting to the cobbler XML-RPC server using a hardcoded user and password. How to fix Improper Authentication? Upgrade `cobbler` to version 3.2.3, 3.3.7 or higher.	[3.1.2,3.2.3) [3.3.0,3.3.7)
M Improper Input Validation cobbler is a network install server. Affected versions of this package are vulnerable to Improper Input Validation by navigating to a vulnerable URL via `cobbler-web` on a default installation. How to fix Improper Input Validation? There is no fixed version for `cobbler`.	[0,)
H Improper Authorization cobbler is a network install server. Affected versions of this package are vulnerable to Improper Authorization when it is configured to authenticate via `PAM`, account validity is missing. Therefore expired accounts can still login. How to fix Improper Authorization? Upgrade `cobbler` to version 3.2.3, 3.3.1 or higher.	[,3.2.3) [3.3.0,3.3.1)
M Improper Input Validation cobbler is a network install server. Affected versions of this package are vulnerable to Improper Input Validation due to improper sanitization of the `run_triggers` function in the `modules/installation/pre_log.py` module, which allows some user controller inputs to be appended in the `/var/log/cobbler/install.log` log file, exploiting this vulnerability might cause log file pollution. How to fix Improper Input Validation? Upgrade `cobbler` to version 3.3.1 or higher.	[,3.3.1)
H Information Exposure cobbler is a network install server. Affected versions of this package are vulnerable to Information Exposure. The files in `/etc/cobbler` are world-readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The `users.digest` file contains the sha2-512 digest of users in a Cobbler local installation and has user read-write permissions. The `settings.yaml` file contains secrets such as the hashed default password and has user read-write permissions. How to fix Information Exposure? Upgrade `cobbler` to version 3.2.3, 3.3.1 or higher.	[,3.2.3) [3.3.0,3.3.1)
M Insecure Defaults cobbler is a network install server. Affected versions of this package are vulnerable to Insecure Defaults as a lot of cobbler server entry points are served on HTTP protocol rather than HTTPS protocol. How to fix Insecure Defaults? Upgrade `cobbler` to version 3.2.3, 3.3.1 or higher.	[,3.2.3) [3.3.0,3.3.1)
H Arbitrary Code Execution cobbler is a network install server. Affected versions of this package are vulnerable to Arbitrary Code Execution via lacking template sanitization of imported modules in the `check_for_invalid_imports` function (`templar.py` file), which allows Cheetah code to import Python modules using the "#from MODULE import" syntax. How to fix Arbitrary Code Execution? Upgrade `cobbler` to version 3.2.3, 3.3.1 or higher.	[,3.2.3) [3.3.0,3.3.1)

Go back to all versions of this package

cobbler@3.2.2 vulnerabilities

Network Boot and Update Server

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities