CVE-2008-6954 — Code Injection in Project Cobbler

CWE-264 CWE-94 — Code Injection CWE-96 — Static Code Injection6 documents5 sources

Severity

9.0CRITICALNVD

EPSS

1.6%

top 18.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler Michael Dehaan Cobbler

Timeline

PublishedAug 12

Latest updateMay 17

Description

The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages2 packages

▶PyPIcobbler_project/cobbler< 1.2.9

▶NVDmichael_dehaan/cobbler1.2.8+41

Patches

Patch: freshmeat.net ↗Patch: www.securityfocus.com ↗Patch: freshmeat.net ↗

🔴Vulnerability Details

GHSA

Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability↗2022-05-17

▶

OSV

Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability↗2022-05-17

▶

GHSA

Cobbler is vulnerable to code injection↗2022-05-17

▶

CVEList

CVE-2008-6954: The web interface (CobblerWeb) in Cobbler before 1↗2009-08-12

▶

📋Vendor Advisories

Red Hat

(cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file↗2010-10-18

▶