PT-2018-10192 · Cobbler+2 · Cobbler+2

Cedric Buissart

Published

2018-08-09

Updated

2024-06-15

CVE-2018-10931

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions cobbler versions 2.6.x

Description A flaw was discovered in cobbler where its CobblerXMLRPCInterface class exposes all functions over XMLRPC, allowing a remote, unauthenticated attacker to gain high privileges within cobbler and upload files to arbitrary locations in the context of the daemon.

Recommendations For cobbler versions 2.6.x, consider restricting access to the CobblerXMLRPCInterface class until a patch is available. As a temporary workaround, limit the exposure of XMLRPC functions to prevent unauthorized access.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-749

Related Identifiers

CVE-2018-10931

GHSA-8787-63PX-3M23

OPENSUSE-SU-2018_2590-1

OPENSUSE-SU-2021:0046-1

OPENSUSE-SU-2021:0058-1

OPENSUSE-SU-2021_0046-1

OPENSUSE-SU-2024:10690-1

RHSA-2018:2372

SUSE-SU-2018:2550-1

SUSE-SU-2018:2551-1

SUSE-SU-2018:2561-1

SUSE-SU-2018:2608-1

SUSE-SU-2018_2550-1

USN-6475-1

Affected Products

Suse

Ubuntu

Cobbler

PT-2018-10192 · Cobbler+2 · Cobbler+2

CVE-2018-10931

Weakness Enumeration

Related Identifiers

Affected Products

References · 116