Input validation error in Cobbler - CVE-2012-2395
Published: June 16, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43981
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2012-2395
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cobbler project
Affected software:
Cobbler
Cobbler
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.
How to mitigate CVE-2012-2395
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
- http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
- http://www.openwall.com/lists/oss-security/2012/05/23/18
- http://www.openwall.com/lists/oss-security/2012/05/23/4
- http://www.osvdb.org/82458
- http://www.securityfocus.com/bid/53666
- https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
- https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
- https://github.com/cobbler/cobbler/issues/141