CVE-2011-4953 — Improper Input Validation in Project Cobbler

CWE-20 — Improper Input Validation CWE-94 — Code Injection CWE-96 — Static Code Injection6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

0.7%

top 27.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler

Timeline

PublishedOct 27

Latest updateMay 17

Description

The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶PyPIcobbler_project/cobbler< 2.6.0

▶NVDcobbler_project/cobbler2.2.1

🔴Vulnerability Details

GHSA

Cobbler vulnerable to code injection via unsafe YAML loading↗2022-05-17

▶

OSV

Cobbler vulnerable to code injection via unsafe YAML loading↗2022-05-17

▶

CVEList

CVE-2011-4953: The set_mgmt_parameters function in item↗2014-10-27

▶

📋Vendor Advisories

Red Hat

cobbler: Privilege escalation by processing of crafted management parameters↗2011-09-28

▶

💬Community

Bugzilla

CVE-2011-4953 cobbler: Privilege escalation by processing of crafted management parameters↗2012-04-12

▶