CVE-2012-2395
published 2012-06-16CVE-2012-2395: Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the…
PriorityP353high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
5.56%
91.9th percentile
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cobbler_project | cobbler | >= 0 < 2.6.0 | 2.6.0 |
| cobbler_project | cobbler | >= 0 < 2.4.1-0ubuntu2 | 2.4.1-0ubuntu2 |
| cobbler_project | cobbler | >= 0 < 2.4.1-0ubuntu2 | 2.4.1-0ubuntu2 |
| michael_dehaan | cobbler | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Cobbler subject to Command Injection
osv·2022-05-17
CVE-2012-2395 [HIGH] Cobbler subject to Command Injection
Cobbler subject to Command Injection
A Command Injection in action_power.py in Cobbler prior to v2.6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
GHSA
Cobbler subject to Command Injection
ghsa·2022-05-17
CVE-2012-2395 [HIGH] CWE-77 Cobbler subject to Command Injection
Cobbler subject to Command Injection
A Command Injection in action_power.py in Cobbler prior to v2.6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
OSV
CVE-2012-2395: Incomplete blacklist vulnerability in action_power
osv·2012-06-16·CVSS 7.5
CVE-2012-2395 [HIGH] CVE-2012-2395: Incomplete blacklist vulnerability in action_power
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Red Hat
cobbler: command injection flaw in the power management XML-RPC API
vendor_redhat·2012-04-23·CVSS 7.5
CVE-2012-2395 [HIGH] CWE-78 cobbler: command injection flaw in the power management XML-RPC API
cobbler: command injection flaw in the power management XML-RPC API
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Statement: This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.htmlhttp://www.openwall.com/lists/oss-security/2012/05/23/18http://www.openwall.com/lists/oss-security/2012/05/23/4http://www.osvdb.org/82458http://www.securityfocus.com/bid/53666https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadfhttps://github.com/cobbler/cobbler/issues/141http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.htmlhttp://www.openwall.com/lists/oss-security/2012/05/23/18http://www.openwall.com/lists/oss-security/2012/05/23/4http://www.osvdb.org/82458http://www.securityfocus.com/bid/53666https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadfhttps://github.com/cobbler/cobbler/issues/141
2012-06-16
Published