CVE-2012-2395

Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

Published: Jun 16, 2012
Updated: May 9, 2024
CVE: CVE-2012-2395
GHSA: GHSA-g34c-mg6m-xvxj
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-77

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
michael_dehaan / cobbler	2.2.0	2.2.0.x
cobbler	-	2.6.0

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
http://www.openwall.com/lists/oss-security/2012/05/23/18
http://www.openwall.com/lists/oss-security/2012/05/23/4
http://www.osvdb.org/82458
http://www.securityfocus.com/bid/53666
https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
https://github.com/cobbler/cobbler/issues/141
https://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
https://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
https://web.archive.org/web/20120712025653/http://www.securityfocus.com/bid/53666
https://www.openwall.com/lists/oss-security/2012/05/23/18
https://www.openwall.com/lists/oss-security/2012/05/23/4
https://www.osvdb.org/82458

Vulnerability Database

CVE-2012-2395

Deep Security Visibility Without the Complexity