CVE-2012-2395 - Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to ex

CVE-2012-2395

Summary

Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

References

Vulnerable Configurations

cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 13-02-2023 - 04:33)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

redhat via4

rpms

cobbler-0:2.0.7-14.6.el5sat
cobbler-0:2.0.7-14.6.el6sat

refmap via4

bid	53666
confirm	https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf https://github.com/cobbler/cobbler/issues/141
misc	https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
mlist	[oss-security] 20120523 CVE request: cobbler command injection [oss-security] 20120523 Re: CVE request: cobbler command injection
osvdb	82458
suse	SUSE-SU-2012:0814 openSUSE-SU-2012:0655

Last major update

13-02-2023 - 04:33

Published

16-06-2012 - 00:55

Last modified

13-02-2023 - 04:33