cbcvebase.
CVE-2021-40323
published 2021-10-04

CVE-2021-40323: Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
88.48%
99.8th percentile
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.

Affected

4 ranges
VendorProductVersion rangeFixed in
cobbler_projectcobbler<= 3.3.0
cobbler_projectcobbler>= 0 < 3.3.03.3.0
cobbler_projectcobbler>= 0 < d8f60bbf14a838c8c8a1dba98086b223e35fe70ad8f60bbf14a838c8c8a1dba98086b223e35fe70a
cobbler_projectcobbler>= 0 < 2.4.1-0ubuntu2+esm12.4.1-0ubuntu2+esm1

Detection & IOCsextracted from sources · hover to see the quote

url/cobbler_api
commandgenerate_script
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Template Injection (CVE-2021-40323)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|generate|5f|script|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40323; classtype:web-application-attack; sid:2056380; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
|3c|methodName|3e|generate|5f|script|3c 2f|methodName|3e|
  • Exploit traffic is an HTTP POST to /cobbler_api with an XML body containing the 'generate_script' method name. Detect by matching POST method, URI /cobbler_api, and request body containing the XML-encoded methodName tag for generate_script.
  • The exploit uses the generate_script XMLRPC method with unsanitized parameters to achieve arbitrary file read (e.g., /etc/passwd) and template injection RCE via the Cheetah template engine.
  • Successful exploitation responses will be HTTP 200 with Content-Type text/xml and may contain /etc/passwd content matching patterns like 'root:.*:0', 'bin:.*:1', or 'nobody:.*:99'.
  • The attack leverages log poisoning via XMLRPC to inject Cheetah template directives into the Cobbler logfile, which are then executed server-side, resulting in RCE.
  • ·The vulnerability only affects Cobbler versions before 3.3.0. Red Hat Enterprise Linux 8 (rhn-tools:1.0/cobbler) is listed as Not Affected.
  • ·The Snort/ET rule (sid:2056380) requires TLS decryption (SSLDecrypt deployment) to inspect encrypted HTTPS traffic to the Cobbler API endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv4.0MEDIUM
vendor_redhat9.8CRITICAL
vendor_ubuntu4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.