SB2012061601 - Input validation error in Cobbler
Published: June 16, 2012 Updated: August 11, 2020
Security Bulletin ID
SB2012061601
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2012-2395)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
- http://www.openwall.com/lists/oss-security/2012/05/23/18
- http://www.openwall.com/lists/oss-security/2012/05/23/4
- http://www.osvdb.org/82458
- http://www.securityfocus.com/bid/53666
- https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
- https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
- https://github.com/cobbler/cobbler/issues/141