Cobbler
CVE-2021-40324
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.
AnalysisAI
Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Technical ContextAI
This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data. Affected products include: Cobbler Project Cobbler. Version information: before 3.3.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.
Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the lo
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibl
Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2. Rated critical severity (CVSS 9.1), this vul
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary comm
It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. Rated critical
Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated us
Cobbler before 3.3.0 allows authorization bypass for modification of settings. Rated high severity (CVSS 7.5), this vuln
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibl
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today