CVE-2021-45083 — Incorrect Default Permissions in Project Cobbler

CWE-276 — Incorrect Default Permissions7 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 91.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cobbler Project Cobbler Fedoraproject Fedora

Timeline

PublishedFeb 20

Latest updateNov 13

Description

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

▶NVDcobbler_project/cobbler< 3.3.1

▶PyPIcobbler_project/cobbler< 3.3.1

Also affects: Fedora 34, 35, 36

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Incorrect Default Permissions in Cobbler↗2022-02-21

▶

GHSA

Incorrect Default Permissions in Cobbler↗2022-02-21

▶

CVEList

CVE-2021-45083: An issue was discovered in Cobbler before 3↗2022-02-20

▶

OSV

CVE-2021-45083: An issue was discovered in Cobbler before 3↗2022-02-20

▶

📋Vendor Advisories

Ubuntu

Cobbler vulnerabilities↗2023-11-13

▶

Red Hat

cobbler: unsafe permissions on sensitive files in /etc/cobbler↗2022-02-18

▶