Vulnerability CVE-2017-1000469

Vulnerability Name:

CVE-2017-1000469 (CCN-137219)

Assigned:

2018-01-03

Published:

2018-01-03

Updated:

2018-01-17

Summary:

Cobbler version up to 2.8.2 is vulnerable to a command injection vulnerability in the "add repo" component resulting in arbitrary code execution as root user.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.6 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-1000469

Source: XF
Type: UNKNOWN
cobbler-cve20171000469-cmd-exec(137219)

Source: CCN
Type: cobbler GIT Repository
The Repos feature is vulnerable to commands injection attack #1845

Source: CONFIRM
Type: Exploit, Mitigation, Third Party Advisory
https://github.com/cobbler/cobbler/issues/1845

Vulnerable Configuration:

Configuration 1:

cpe:/a:cobbler_project:cobbler:*:*:*:*:*:*:*:* (Version <= 2.8.2)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20171000469	V	CVE-2017-1000469	2022-06-30
oval:org.opensuse.security:def:112087	P	cobbler-3.2.1.336+git.5639a3af-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:59838	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:60431	P	Security update for gmp (Moderate)	2021-12-02
oval:org.opensuse.security:def:32221	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-11-19
oval:org.opensuse.security:def:32210	P	Security update for opensc (Important)	2021-10-29
oval:org.opensuse.security:def:105629	P	cobbler-3.2.1.336+git.5639a3af-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:59538	P	Security update for mariadb (Moderate)	2021-09-09
oval:org.opensuse.security:def:60349	P	Security update for libesmtp (Important)	2021-09-02
oval:org.opensuse.security:def:32128	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-06-18
oval:org.opensuse.security:def:32117	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:60253	P	Security update for xen (Important)	2021-05-12
oval:org.opensuse.security:def:29353	P	Security update for gdm (Important)	2021-04-28
oval:org.opensuse.security:def:58927	P	Security update for tar (Low)	2021-03-29
oval:org.opensuse.security:def:58926	P	Security update for ovmf (Moderate)	2021-03-29
oval:org.opensuse.security:def:32278	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-03-17
oval:org.opensuse.security:def:60469	P	Security update for freeradius-server (Low)	2021-03-04
oval:org.opensuse.security:def:32267	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:11200	P	Security update for cobbler (Moderate)	2021-01-14
oval:org.opensuse.security:def:96468	P	Security update for cobbler (Moderate)	2021-01-14
oval:org.opensuse.security:def:109815	P	Security update for cobbler (Moderate)	2021-01-14
oval:org.opensuse.security:def:103158	P	Security update for cobbler (Moderate)	2021-01-14
oval:org.opensuse.security:def:111282	P	Security update for cobbler (Moderate)	2021-01-11
oval:org.opensuse.security:def:27971	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:32577	P	man on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28478	P	Security update for zlib (Moderate)	2020-12-01
oval:org.opensuse.security:def:33369	P	Security update for wget (Moderate)	2020-12-01
oval:org.opensuse.security:def:31898	P	Security update for MozillaFirefox, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:59653	P	Security update for grub2 (Important)	2020-12-01
oval:org.opensuse.security:def:28679	P	Security update for flac	2020-12-01
oval:org.opensuse.security:def:28090	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:32615	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31920	P	Security update for ghostscript-library (Important)	2020-12-01
oval:org.opensuse.security:def:28520	P	Security update for openssl1 (Important)	2020-12-01
oval:org.opensuse.security:def:33397	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:27896	P	Security update for tidy (Low)	2020-12-01
oval:org.opensuse.security:def:32365	P	Security update for supportutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:29306	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:28242	P	Security update for libwmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:32687	P	kbd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59357	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:28619	P	Security update for xorg-x11-libXrender	2020-12-01
oval:org.opensuse.security:def:31984	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:27897	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:32510	P	file-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60508	P	perl-Tk on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31908	P	Security update for freetype2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28315	P	Security update for openssl (Important)	2020-12-01
oval:org.opensuse.security:def:32720	P	libnetpbm10 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28624	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:28101	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:32626	P	OpenEXR on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:58949	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28531	P	Security update for acroread	2020-12-01
oval:org.opensuse.security:def:33408	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:31899	P	Security update for MozillaFirefox, firefox-glib2, firefox-gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:29317	P	Security update for IBM Java 1.4.2	2020-12-01
oval:org.opensuse.security:def:27885	P	Security update for rubygem-mail-2_3	2020-12-01
oval:org.opensuse.security:def:28174	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:32654	P	ed on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:31994	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:28569	P	Security update for lcms	2020-12-01
oval:org.opensuse.security:def:27907	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:32521	P	gmime on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29342	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:28326	P	Security update for perl-DBD-mysql (Moderate)	2020-12-01
oval:org.opensuse.security:def:32731	P	libsamplerate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28635	P	Security update for augeas (Moderate)	2020-12-01
oval:org.opensuse.security:def:27961	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:32566	P	libsamplerate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60586	P	Security update for cobbler (Moderate)	2020-12-01
oval:org.opensuse.security:def:31909	P	Security update for freetype2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:28467	P	Security update for xorg-x11-libXpm (Moderate)	2020-12-01
oval:org.opensuse.security:def:33358	P	Security update for openssl1 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27895	P	Security update for subversion	2020-12-01
oval:org.opensuse.security:def:28668	P	Security update for MozillaFirefox	2020-12-01
oval:org.opensuse.security:def:28185	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:32665	P	freetype2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59105	P	Security update for the Linux Kernel (Live Patch 32 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:28580	P	Security update for libproxy	2020-12-01
oval:org.opensuse.security:def:31910	P	Security update for fuse (Moderate)	2020-12-01
oval:org.opensuse.security:def:60137	P	Security update for squid (Critical)	2020-12-01
oval:org.opensuse.security:def:27886	P	Security update for rubygem-rack (Moderate)	2020-12-01
oval:org.opensuse.security:def:32354	P	Security update for squid3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60558	P	unixODBC on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28231	P	Security update for libtirpc (Moderate)	2020-12-01
oval:org.opensuse.security:def:32676	P	gnutls on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28608	P	Security update for Xen	2020-12-01
oval:org.opensuse.security:def:83852	P	Security update for cobbler (Moderate)	2018-06-19
oval:com.ubuntu.artful:def:20171000469000	V	CVE-2017-1000469 on Ubuntu 17.10 (artful) - untriaged.	2018-01-03
oval:com.ubuntu.xenial:def:201710004690000000	V	CVE-2017-1000469 on Ubuntu 16.04 LTS (xenial) - medium.	2018-01-03
oval:com.ubuntu.trusty:def:20171000469000	V	CVE-2017-1000469 on Ubuntu 14.04 LTS (trusty) - medium.	2018-01-03
oval:com.ubuntu.xenial:def:20171000469000	V	CVE-2017-1000469 on Ubuntu 16.04 LTS (xenial) - medium.	2018-01-03

BACK