cbcvebase.
CVE-2018-10931
published 2018-08-09

CVE-2018-10931: It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw…

PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
67.86%
99.2th percentile
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.

Affected

9 ranges
VendorProductVersion rangeFixed in
cobbler_projectcobbler>= 0 < 3.0.03.0.0
cobbler_projectcobbler>= 0 < 2.4.1-0ubuntu2+esm12.4.1-0ubuntu2+esm1
cobbler_projectcobbler>= 2.6.0 < 3.0.03.0.0
cobbler_projectcobbler2.6.0 – 2.6.11
cobblerdcobbler>= 2.0.0
redhatsatellite
redhatsatellite
redhatsatellite
the_cobbler_projectcobbler

Detection & IOCsextracted from sources · hover to see the quote

url/cobbler_api
commandPOST /cobbler_api HTTP/1.1 Content-Type: text/xml _CobblerXMLRPCInterface__make_token cobbler
  • Monitor for unauthenticated POST requests to /cobbler_api containing the method name '_CobblerXMLRPCInterface__make_token', which indicates exploitation of the exposed private XMLRPC interface.
  • Alert on XMLRPC responses to /cobbler_api that do NOT contain 'faultCode' and DO contain a base64-like token string (matching regex `.*[a-zA-Z0-9].+==`), indicating a successful authentication bypass.
  • Use Shodan/FOFA/Google dorks to identify exposed Cobbler web interfaces as attack surface: shodan 'http.title:"cobbler web interface"', fofa 'title="cobbler web interface"', Google 'intitle:"cobbler web interface"'.
  • CVE-2018-10931 specifically involves CobblerXMLRPCInterface exporting ALL methods (including private ones prefixed with '__') over XMLRPC without authentication; monitor for XMLRPC calls using double-underscore mangled method names against /cobbler_api.
  • ·SELinux enforcement may limit the impact of file-upload exploitation but does not fully mitigate the vulnerability.
  • ·CVE-2018-10931 and CVE-2018-1000226 are distinct issues against the same endpoint (/cobbler_api); CVE-2018-10931 is about full private method exposure, while CVE-2018-1000226 is about missing token validation on specific API endpoints.
  • ·The most sensitive unauthenticated function in CVE-2018-1000226 is modify_settings(), which is absent in cobbler 2.0.7 (shipped with Red Hat Enterprise Satellite 5), reducing severity for that specific version.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.