Vulnerability Name:

CVE-2008-6954 (CCN-46625)

Assigned:2008-11-15
Published:2008-11-15
Updated:2017-08-17
Summary:The web interface (CobblerWeb) in Cobbler before 1.2.9 allows remote authenticated users to execute arbitrary Python code in cobblerd by editing a Cheetah kickstart template to import arbitrary Python modules.
CVSS v3 Severity:8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
8.5 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2008-6954

Source: CCN
Type: freshmeat Web site
Cobbler 1.2.9 (Default)

Source: CONFIRM
Type: Patch
http://freshmeat.net/projects/cobbler/releases/288374

Source: OSVDB
Type: UNKNOWN
50291

Source: CCN
Type: SA32737
Cobbler Web Interface Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
32737

Source: SECUNIA
Type: Vendor Advisory
32804

Source: CCN
Type: OSVDB ID: 50291
Cobbler Web Interface Kickstart Template Manipulation Privilege Escalation

Source: BID
Type: Patch
32317

Source: CCN
Type: BID-32317
Cobbler Web Interface Kickstart Template Remote Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
cobbler-interface-code-execution(46625)

Source: XF
Type: UNKNOWN
cobbler-interface-code-execution(46625)

Source: CCN
Type: Cobbler Web page
Cobbler

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9723

Source: FEDORA
Type: UNKNOWN
FEDORA-2008-9745

Vulnerable Configuration:Configuration 1:
  • cpe:/a:michael_dehaan:cobbler:0.1.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.2-1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.3-1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:*:*:*:*:*:*:*:* (Version <= 1.2.8)

    • Configuration CCN 1:
  • cpe:/a:michael_dehaan:cobbler:1.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.3-1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.2-1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.4:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.9:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.9:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.8:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.7:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.5:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:michael_dehaan:cobbler:0.1.1.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    michael_dehaan cobbler 0.1.1.7
    michael_dehaan cobbler 0.2.1
    michael_dehaan cobbler 0.2.2
    michael_dehaan cobbler 0.2.3
    michael_dehaan cobbler 0.2.5
    michael_dehaan cobbler 0.2.7
    michael_dehaan cobbler 0.2.8
    michael_dehaan cobbler 0.2.9
    michael_dehaan cobbler 0.3.0
    michael_dehaan cobbler 0.3.1
    michael_dehaan cobbler 0.3.3
    michael_dehaan cobbler 0.3.4
    michael_dehaan cobbler 0.3.5
    michael_dehaan cobbler 0.3.6
    michael_dehaan cobbler 0.3.7
    michael_dehaan cobbler 0.3.9
    michael_dehaan cobbler 0.4.0
    michael_dehaan cobbler 0.4.2
    michael_dehaan cobbler 0.4.3
    michael_dehaan cobbler 0.4.5
    michael_dehaan cobbler 0.4.6
    michael_dehaan cobbler 0.4.7
    michael_dehaan cobbler 0.4.8
    michael_dehaan cobbler 0.5.0
    michael_dehaan cobbler 0.6.0
    michael_dehaan cobbler 0.6.1
    michael_dehaan cobbler 0.6.3
    michael_dehaan cobbler 0.6.4
    michael_dehaan cobbler 0.6.5
    michael_dehaan cobbler 0.8.1
    michael_dehaan cobbler 0.8.3
    michael_dehaan cobbler 1.0.0
    michael_dehaan cobbler 1.0.2
    michael_dehaan cobbler 1.0.2-1
    michael_dehaan cobbler 1.0.3-1
    michael_dehaan cobbler 1.2.0
    michael_dehaan cobbler 1.2.2
    michael_dehaan cobbler 1.2.3
    michael_dehaan cobbler 1.2.5
    michael_dehaan cobbler 1.2.6
    michael_dehaan cobbler 1.2.7
    michael_dehaan cobbler *
    michael_dehaan cobbler 1.2.8
    michael_dehaan cobbler 1.2.7
    michael_dehaan cobbler 1.2.6
    michael_dehaan cobbler 1.2.5
    michael_dehaan cobbler 1.2.3
    michael_dehaan cobbler 1.2.2
    michael_dehaan cobbler 1.2.0
    michael_dehaan cobbler 1.0.3-1
    michael_dehaan cobbler 1.0.2
    michael_dehaan cobbler 1.0.2-1
    michael_dehaan cobbler 1.0.0
    michael_dehaan cobbler 0.8.3
    michael_dehaan cobbler 0.8.1
    michael_dehaan cobbler 0.6.5
    michael_dehaan cobbler 0.6.4
    michael_dehaan cobbler 0.6.3
    michael_dehaan cobbler 0.6.1
    michael_dehaan cobbler 0.6.0
    michael_dehaan cobbler 0.5.0
    michael_dehaan cobbler 0.4.8
    michael_dehaan cobbler 0.4.7
    michael_dehaan cobbler 0.4.6
    michael_dehaan cobbler 0.4.5
    michael_dehaan cobbler 0.4.3
    michael_dehaan cobbler 0.4.2
    michael_dehaan cobbler 0.4.0
    michael_dehaan cobbler 0.3.9
    michael_dehaan cobbler 0.3.7
    michael_dehaan cobbler 0.3.6
    michael_dehaan cobbler 0.3.5
    michael_dehaan cobbler 0.3.4
    michael_dehaan cobbler 0.3.3
    michael_dehaan cobbler 0.3.1
    michael_dehaan cobbler 0.3.0
    michael_dehaan cobbler 0.2.9
    michael_dehaan cobbler 0.2.8
    michael_dehaan cobbler 0.2.7
    michael_dehaan cobbler 0.2.5
    michael_dehaan cobbler 0.2.3
    michael_dehaan cobbler 0.2.2
    michael_dehaan cobbler 0.2.1
    michael_dehaan cobbler 0.1.1.7