CVE-2021-40324
published 2021-10-04CVE-2021-40324: Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
68.64%
99.3th percentile
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cobbler_project | cobbler | <= 3.3.0 | — |
| cobbler_project | cobbler | >= 0 < 3.3.0 | 3.3.0 |
| cobbler_project | cobbler | >= 0 < d8f60bbf14a838c8c8a1dba98086b223e35fe70a | d8f60bbf14a838c8c8a1dba98086b223e35fe70a |
| cobbler_project | cobbler | >= 0 < 2.4.1-0ubuntu2+esm1 | 2.4.1-0ubuntu2+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
url/cobbler_api
bytes
|3c|methodName|3e|upload|5f|log|5f|data|3c 2f|methodName|3e|
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|upload|5f|log|5f|data|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40324; classtype:web-application-attack; sid:2056381; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40324, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit traffic is an HTTP POST request to the /cobbler_api endpoint containing an XMLRPC body invoking the upload_log_data method. Detect by matching POST method + URI /cobbler_api + request body containing the XML-encoded methodName 'upload_log_data'.
- →The vulnerability is rooted in the anamon_enabled setting in cobblerd. If anamon support is enabled, the upload_log_data XMLRPC function accepts unsanitized user-supplied parameters allowing arbitrary file writes. ↗
- →The Emerging Threats rule SID 2056381 (rev:1) covers this exploit with high confidence for both perimeter and internal deployments, including TLS-decrypted traffic (SSLDecrypt deployment tag).
- ·The anamon_enabled setting must be enabled for the vulnerability to be exploitable. Instances with anamon support disabled are not affected by this arbitrary file write path. ↗
- ·Red Hat Enterprise Linux 8 (rhn-tools:1.0/cobbler package) is listed as Not Affected, so detection focus should be on standalone Cobbler deployments prior to version 3.3.0. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv4.0MEDIUM
vendor_redhat7.5HIGH
vendor_ubuntu4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Cobbler vulnerabilities
vendor_ubuntu·2023-11-13·CVSS 4.0
CVE-2021-40323 [MEDIUM] Cobbler vulnerabilities
Title: Cobbler vulnerabilities
Summary: Several security issues were fixed in Cobbler.
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discov
Red Hat
cobbler: Arbitrary file write via upload_log_data XMLRPC function
vendor_redhat·2021-09-20·CVSS 7.5
CVE-2021-40324 [HIGH] CWE-20 cobbler: Arbitrary file write via upload_log_data XMLRPC function
cobbler: Arbitrary file write via upload_log_data XMLRPC function
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
A flaw was found in cobbler. The flaw lies in cobblerd's anamon support, specifically the upload_log_data XMLRPC function. An anamon_enabled setting, if enabled, accepts unsanitized user-supplied parameters. This flaw allows an attacker to write arbitrary files to the system. The highest threat from this vulnerability is to confidentiality, integrity, and availability.
Package: rhn-tools:1.0/cobbler (Red Hat Enterprise Linux 8) - Not affected
OSV
cobbler vulnerabilities
osv·2023-11-13·CVSS 4.0
CVE-2014-3225 [MEDIUM] cobbler vulnerabilities
cobbler vulnerabilities
It was discovered that Cobbler did not properly handle user input, which
could result in an absolute path traversal. An attacker could possibly
use this issue to read arbitrary files. (CVE-2014-3225)
It was discovered that Cobbler did not properly handle user input, which
could result in command injection. An attacker could possibly use this
issue to execute arbitrary code with high privileges.
(CVE-2017-1000469, CVE-2021-45082)
It was discovered that Cobbler did not properly hide private functions in
a class. A remote attacker could possibly use this issue to gain high
privileges and upload files to an arbitrary location.
(CVE-2018-10931, CVE-2018-1000225, CVE-2018-1000226)
Nicolas Chatelain discovered that Cobbler did not properly handle user
input, which coul
OSV
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
osv·2021-10-05
CVE-2021-40324 [HIGH] Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
GHSA
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
ghsa·2021-10-05
CVE-2021-40324 [HIGH] CWE-434 Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
OSV
CVE-2021-40324: Cobbler before 3
osv·2021-10-04
CVE-2021-40324 CVE-2021-40324: Cobbler before 3
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
Suricata
ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)
suricata·2024-10-01·CVSS 7.5
CVE-2021-40324 [HIGH] ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)
ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Clobber API XMLRPC Arbitrary File Upload (CVE-2021-40324)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cobbler_api"; fast_pattern; startswith; http.request_body; content:"|3c|methodName|3e|upload|5f|log|5f|data|3c 2f|methodName|3e|"; reference:url,github.com/cobbler/cobbler/issues/2795; reference:cve,2021-40324; classtype:web-application-attack; sid:2056381; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2021_40324, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01, mitre_ta
No public exploits indexed.
No writeups or analysis indexed.
2021-10-04
Published