Workflow

PyPi: Cobbler

CVE-2010-2235

Safety vulnerability ID: 35339

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 09, 2010 Updated at Jan 16, 2025
Scan your Python projects for vulnerabilities →

Advisory

Cobbler 2.0.7 includes a fix for CVE-2010-2235: Template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

Affected package

cobbler

Latest version: 3.3.7

Network Boot and Update Server

Affected versions

Fixed versions

Vulnerability changelog

template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.


CONFIRM:http://people.fedoraproject.org/~shenson/cobbler/cobbler-2.0.8.tar.gz: http://people.fedoraproject.org/~shenson/cobbler/cobbler-2.0.8.tar.gz
CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=607662: https://bugzilla.redhat.com/show_bug.cgi?id=607662
REDHAT:RHSA-2010:0775: http://www.redhat.com/support/errata/RHSA-2010-0775.html

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 8.5

CVSS v2 Details

HIGH 8.5
Access Vector (AV)
NETWORK
Access Complexity (AC)
MEDIUM
Authentication (Au)
SINGLE
Confidentiality Impact (C)
COMPLETE
Integrity Impact (I)
COMPLETE
Availability Impact (A)
COMPLETE