Lucene search

GitHub Advisory DatabaseGHSA-XC7W-JVHX-P6Q9

HistoryMay 14, 2022 - 2:52 a.m.

Cobbler Path Traversal vulnerability

2022-05-1402:52:42

CWE-22

GitHub Advisory Database

github.com

path traversal

cobbler 2.4.x

cobbler 2.6.x

remote authenticated users

arbitrary files

kickstart field

profile

web interface

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

6.8

Confidence

Low

EPSS

0.03

Percentile

90.9%

JSON

Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.

Affected configurations

Vulners

Node

cobblercobblerRange2.4.0–2.4.7

cobblercobblerRange2.6.0–2.6.4

VendorProductVersionCPE
cobblercobbler*cpe:2.3:a:cobbler:cobbler:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cobbler	cobbler	*	cpe:2.3:a:cobbler:cobbler::::::::

References

packetstormsecurity.com/files/126553/Cobbler-Local-File-Inclusion.html

seclists.org/oss-sec/2014/q2/273

seclists.org/oss-sec/2014/q2/274

www.exploit-db.com/exploits/33252

www.osvdb.org/106759

www.securityfocus.com/archive/1/532094/100/0/threaded

www.securityfocus.com/bid/67277

github.com/advisories/GHSA-xc7w-jvhx-p6q9

github.com/cobbler/cobbler/commit/8232c0e88ec7382d3f8d3bf48c81a4a91ac4325d

github.com/cobbler/cobbler/commit/f757e3096fcd32397609ca38efb01f19d16dd634

github.com/cobbler/cobbler/issues/939

nvd.nist.gov/vuln/detail/CVE-2014-3225

www.youtube.com/watch?v=vuBaoQUFEYQ&feature=youtu.be

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

AI Score

6.8

Confidence

Low

EPSS

0.03

Percentile

90.9%

JSON

Related for GHSA-XC7W-JVHX-P6Q9