cobbler@3.3.0 vulnerabilities

Network Boot and Update Server

Direct Vulnerabilities

Known vulnerabilities in the cobbler package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Improper Authentication

cobbler is a network install server.

Affected versions of this package are vulnerable to Improper Authentication due to the utils.get_shared_secret function. An attacker can gain full control of the server by connecting to the cobbler XML-RPC server using a hardcoded user and password.

How to fix Improper Authentication?

Upgrade cobbler to version 3.2.3, 3.3.7 or higher.

[3.1.2,3.2.3) [3.3.0,3.3.7)
  • M
Improper Input Validation

cobbler is a network install server.

Affected versions of this package are vulnerable to Improper Input Validation by navigating to a vulnerable URL via cobbler-web on a default installation.

How to fix Improper Input Validation?

There is no fixed version for cobbler.

[0,)
  • H
Improper Authorization

cobbler is a network install server.

Affected versions of this package are vulnerable to Improper Authorization when it is configured to authenticate via PAM, account validity is missing. Therefore expired accounts can still login.

How to fix Improper Authorization?

Upgrade cobbler to version 3.2.3, 3.3.1 or higher.

[,3.2.3) [3.3.0,3.3.1)
  • M
Improper Input Validation

cobbler is a network install server.

Affected versions of this package are vulnerable to Improper Input Validation due to improper sanitization of the run_triggers function in the modules/installation/pre_log.py module, which allows some user controller inputs to be appended in the /var/log/cobbler/install.log log file, exploiting this vulnerability might cause log file pollution.

How to fix Improper Input Validation?

Upgrade cobbler to version 3.3.1 or higher.

[,3.3.1)
  • H
Information Exposure

cobbler is a network install server.

Affected versions of this package are vulnerable to Information Exposure. The files in /etc/cobbler are world-readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation and has user read-write permissions. The settings.yaml file contains secrets such as the hashed default password and has user read-write permissions.

How to fix Information Exposure?

Upgrade cobbler to version 3.2.3, 3.3.1 or higher.

[,3.2.3) [3.3.0,3.3.1)
  • M
Insecure Defaults

cobbler is a network install server.

Affected versions of this package are vulnerable to Insecure Defaults as a lot of cobbler server entry points are served on HTTP protocol rather than HTTPS protocol.

How to fix Insecure Defaults?

Upgrade cobbler to version 3.2.3, 3.3.1 or higher.

[,3.2.3) [3.3.0,3.3.1)
  • H
Arbitrary Code Execution

cobbler is a network install server.

Affected versions of this package are vulnerable to Arbitrary Code Execution via lacking template sanitization of imported modules in the check_for_invalid_imports function (templar.py file), which allows Cheetah code to import Python modules using the "#from MODULE import" syntax.

How to fix Arbitrary Code Execution?

Upgrade cobbler to version 3.2.3, 3.3.1 or higher.

[,3.2.3) [3.3.0,3.3.1)