cbcvebase.
CVE-2024-47533
published 2024-11-18

CVE-2024-47533: Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.95%
89.1th percentile
Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
cobblercobbler
cobblercobbler
cobbler_projectcobbler>= 3.0.0 < 3.2.33.2.3
cobbler_projectcobbler>= 3.3.0 < 3.3.73.3.7

Detection & IOCsextracted from sources · hover to see the quote

url/cobbler_api
commandXML-RPC login with user '' and password -1
othershodan:http.title:"Cobbler Web Interface"
  • Send a POST request to /cobbler_api with XML-RPC payload calling 'login' with username '' and password '-1'. A successful authentication bypass returns an HTTP 200 with 'text/xml' content-type, containing '<value>' and '<string>' in the body, and does NOT contain '<fault>' or 'faultString'.
  • Match response body for presence of both '<value>' and '<string>' (condition: and) combined with absence of '<fault>' or 'faultString' (negative match) to confirm successful unauthenticated login.
  • Affected versions are 3.0.0 through 3.2.2 and 3.3.0 through 3.3.6. Fixed in 3.2.3 and 3.3.7. Identify exposed Cobbler instances via Shodan query: http.title:"Cobbler Web Interface".
  • ·The authentication bypass is unconditional — utils.get_shared_secret() always returns -1 on vulnerable versions, so any network-reachable Cobbler XML-RPC endpoint is exploitable without prior knowledge of credentials.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.