CVE-2010-2235 – cobbler

Package

Manager: pip
Name: cobbler
Vulnerable Version: >=0 <2.0.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:H/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.01499 pctl0.80426

Details

Cobbler is vulnerable to code injection template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

Metadata

Created: 2022-05-17T05:45:48Z
Modified: 2023-02-07T18:24:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jhm7-38xj-pvm8/GHSA-jhm7-38xj-pvm8.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-jhm7-38xj-pvm8
Finding: F422
Auto approve: 1