CVE-2012-2395 — Command Injection in Project Cobbler

CWE-77 — Command Injection CWE-78 — OS Command Injection7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler Michael Dehaan Cobbler

Timeline

PublishedJun 16

Latest updateMay 17

Description

Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶PyPIcobbler_project/cobbler< 2.6.0

▶Ubuntucobbler_project/cobbler< 2.4.1-0ubuntu2+1

▶NVDmichael_dehaan/cobbler2.2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Cobbler subject to Command Injection↗2022-05-17

▶

GHSA

Cobbler subject to Command Injection↗2022-05-17

▶

CVEList

CVE-2012-2395: Incomplete blacklist vulnerability in action_power↗2012-06-16

▶

OSV

CVE-2012-2395: Incomplete blacklist vulnerability in action_power↗2012-06-16

▶

📋Vendor Advisories

Red Hat

cobbler: command injection flaw in the power management XML-RPC API↗2012-04-23

▶

💬Community

Bugzilla

CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API↗2012-05-23

▶