ID CVE-2012-2395
Summary Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
References
Vulnerable Configurations
  • cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 13-02-2023 - 04:33)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
rpms
  • cobbler-0:2.0.7-14.6.el5sat
  • cobbler-0:2.0.7-14.6.el6sat
refmap via4
bid 53666
confirm
misc https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
mlist
  • [oss-security] 20120523 CVE request: cobbler command injection
  • [oss-security] 20120523 Re: CVE request: cobbler command injection
osvdb 82458
suse
  • SUSE-SU-2012:0814
  • openSUSE-SU-2012:0655
Last major update 13-02-2023 - 04:33
Published 16-06-2012 - 00:55
Last modified 13-02-2023 - 04:33
Back to Top