Wednesday, September 29, 2021

Arbitrary Code Execution - cobbler [,3.2.2)

Overview

cobbler is a network install server.

Affected versions of this package are vulnerable to Arbitrary Code Execution the generate_script RPC method could be used to get arbitrary files on the system.

As many cobbler endpoints call the _log method, an attacker could call an endpoint of choice, insert malicious code into the log file via a crafted input, and use the generate_script method to evaluate the associated log file as a template, thereby achieving arbitrary code execution.

Remediation

Upgrade cobbler to version 3.2.2 or higher.

References

 

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore