CVE-2010-2235 — Static Code Injection in Project Cobbler

CWE-96 — Static Code Injection CWE-94 — Code Injection8 documents6 sources

Severity

8.5HIGHNVD

CNA9.0GHSA9.0OSV9.0

EPSS

1.8%

top 17.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler Michael Dehaan Cobbler

Timeline

PublishedDec 9

Latest updateMay 17

Description

template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 6.8 | Impact: 10.0

Affected Packages2 packages

▶PyPIcobbler_project/cobbler< 2.0.7

▶NVDmichael_dehaan/cobbler2.0.4+81

Patches

Patch: people.fedoraproject.org ↗Patch: people.fedoraproject.org ↗

🔴Vulnerability Details

GHSA

Cobbler is vulnerable to code injection↗2022-05-17

▶

OSV

Cobbler is vulnerable to code injection↗2022-05-17

▶

CVEList

CVE-2010-2235: template_api↗2010-12-09

▶

📋Vendor Advisories

Red Hat

(cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file↗2010-10-18

▶

💬Community

Bugzilla

CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file [fedora-all]↗2010-10-18

▶

Bugzilla

CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file↗2010-06-24

▶

Bugzilla

CVE-2010-2235 Spacewalk (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file↗2010-06-23

▶