PT-2022-13479 · Cobbler+2 · Cobbler+2

Published

2022-03-11

Updated

2024-06-15

CVE-2022-0860

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions cobbler/cobbler versions prior to 3.3.2

Description The issue concerns improper authorization in the GitHub repository cobbler/cobbler. If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places, including the Web UI, CLI, and XMLRPC-API. This also applies to user accounts with passwords set to be expired.

Recommendations For versions prior to 3.3.2, update to version 3.3.2 or later to resolve the issue. As a temporary workaround, consider deleting expired accounts that are able to access Cobbler via PAM. Use chage -l <username> to lock the account. If the account has SSH-Keys attached, then remove them completely.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-285

Related Identifiers

CVE-2022-0860

GHSA-MCG6-H362-CMQ5

OPENSUSE-SU-2023_1831-1

OPENSUSE-SU-2024:11904-1

PYSEC-2022-177

SUSE-SU-2022:3750-1

SUSE-SU-2022:3761-1

SUSE-SU-2023:0592-1

USN-6475-1

Affected Products

Suse

Ubuntu

Cobbler

PT-2022-13479 · Cobbler+2 · Cobbler+2

CVE-2022-0860

Weakness Enumeration

Related Identifiers

Affected Products

References · 148