Lucene search

MitreCVE-2021-45083

HistoryFeb 20, 2022 - 6:15 p.m.

CVE-2021-45083

2022-02-2018:15:07

CWE-276

mitre

web.nvd.nist.gov

cobbler

cve-2021-45083

vulnerability

information security

nvd

sensitive data

access control

server security

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

CVSS3

7.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.7

Confidence

High

EPSS

Percentile

5.1%

JSON

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it’s trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.

Affected configurations

Nvd

Node

cobbler_projectcobblerRange<3.3.1

Node

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

VendorProductVersionCPE
cobbler_projectcobbler*cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraprojectfedora35cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cobbler_project	cobbler	*	cpe:2.3:a:cobbler_project:cobbler::::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*