CVE-2008-6954
published 2009-08-12CVE-2008-6954: The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah…
PriorityP344critical9CVSS 2.0
AVNACLAuSCCICAC
EPSS
2.15%
79.8th percentile
The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cobbler_project | cobbler | >= 0 < 2.0.7 | 2.0.7 |
| cobbler_project | cobbler | >= 0 < 1.2.9 | 1.2.9 |
| michael_dehaan | cobbler | <= 1.2.8 | — |
| michael_dehaan | cobbler | <= 2.0.4 | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
| michael_dehaan | cobbler | — | — |
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa9.0CRITICAL
osv9.0CRITICAL
vendor_redhat9.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
(cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
vendor_redhat·2010-10-18·CVSS 9.0
CVE-2010-2235 [CRITICAL] CWE-96 (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
(cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file
template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.
GHSA
Cobbler is vulnerable to code injection
ghsa·2022-05-17·CVSS 9.0
CVE-2010-2235 [CRITICAL] CWE-94 Cobbler is vulnerable to code injection
Cobbler is vulnerable to code injection
template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.
GHSA
Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
ghsa·2022-05-17
CVE-2008-6954 [HIGH] CWE-94 Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code with the root privileges in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.
OSV
Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
osv·2022-05-17
CVE-2008-6954 [HIGH] Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability
The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code with the root privileges in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.
OSV
Cobbler is vulnerable to code injection
osv·2022-05-17·CVSS 9.0
CVE-2010-2235 [CRITICAL] Cobbler is vulnerable to code injection
Cobbler is vulnerable to code injection
template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://freshmeat.net/projects/cobbler/releases/288374http://osvdb.org/50291http://secunia.com/advisories/32737http://secunia.com/advisories/32804http://www.securityfocus.com/bid/32317https://exchange.xforce.ibmcloud.com/vulnerabilities/46625https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00462.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-November/msg00485.htmlhttp://freshmeat.net/projects/cobbler/releases/288374http://osvdb.org/50291http://secunia.com/advisories/32737http://secunia.com/advisories/32804http://www.securityfocus.com/bid/32317https://exchange.xforce.ibmcloud.com/vulnerabilities/46625https://www.redhat.com/archives/fedora-package-announce/2008-November/msg00462.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-November/msg00485.html
2009-08-12
Published