cbcvebase.

Debian Cockpit vulnerabilities

6 known vulnerabilities affecting debian/cockpit.

Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1LOW2

Vulnerabilities

Page 1 of 1
CVE-2026-4631P1LOWCVSS 9.8PoCfixed in cockpit 360-1 (sid)2026
CVE-2026-4631 [CRITICAL] CVE-2026-4631: cockpit - Cockpit's remote login feature passes user-supplied hostnames and usernames from... Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host w
debian
CVE-2019-3804P3HIGHCVSS 7.5fixed in cockpit 184-1 (bookworm)2019
CVE-2019-3804 [HIGH] CVE-2019-3804: cockpit - It was found that cockpit before version 184 used glib's base64 decode functiona... It was found that cockpit before version 184 used glib's base64 decode functionality incorrectly resulting in a denial of service attack. An unauthenticated attacker could send a specially crafted request with an invalid base64-encoded cookie which could cause the web service to crash. Scope: local bookworm: resolved (fixed in 184-1) bullseye: resolved (fixed in 184-1
debian
CVE-2021-3698P3HIGHCVSS 7.5fixed in cockpit 260-1 (bookworm)2021
CVE-2021-3698 [HIGH] CVE-2021-3698: cockpit - A flaw was found in Cockpit in versions prior to 260 in the way it handles the c... A flaw was found in Cockpit in versions prior to 260 in the way it handles the certificate verification performed by the System Security Services Daemon (SSSD). This flaw allows client certificates to authenticate successfully, regardless of the Certificate Revocation List (CRL) configuration or the certificate status. The highest threat from this vulnerability is to
debian
CVE-2024-2947P3HIGHCVSS 7.3fixed in cockpit 287.1-0+deb12u1 (bookworm)2024
CVE-2024-2947 [HIGH] CVE-2024-2947: cockpit - A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Co... A flaw was found in Cockpit. Deleting a sosreport with a crafted name via the Cockpit web interface can lead to a command injection vulnerability, resulting in privilege escalation. This issue affects Cockpit versions 270 and newer. Scope: local bookworm: resolved (fixed in 287.1-0+deb12u1) bullseye: resolved forky: resolved (fixed in 314-1) sid: resolved (fixed in 31
debian
CVE-2021-3660P4MEDIUMCVSS 4.3fixed in cockpit 254-1 (bookworm)2021
CVE-2021-3660 [MEDIUM] CVE-2021-3660: cockpit - Cockpit (and its plugins) do not seem to protect itself against clickjacking. It... Cockpit (and its plugins) do not seem to protect itself against clickjacking. It is possible to render a page from a cockpit server via another website, inside an HTML entry. This may be used by a malicious website in clickjacking or similar attacks. Scope: local bookworm: resolved (fixed in 254-1) bullseye: open forky: resolved (fixed in 254-1) sid: resolved (fixed
debian
CVE-2024-6126P4LOWCVSS 3.2fixed in cockpit 287.1-0+deb12u3 (bookworm)2024
CVE-2024-6126 [LOW] CVE-2024-6126: cockpit - A flaw was found in the cockpit package. This flaw allows an authenticated user ... A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. Scope: local bookworm: resolved (fixed in 287.1-0+deb12u3) bullseye: open forky: resolved (fixed in 320-1) sid: resolved (fixed in 320-1) trixie: resolved (fixed in 320-1)
debian
Debian Cockpit vulnerabilities | cvebase