cvelistv5 - cve-2022-0860

cve-2022-0860

Vulnerability from cvelistv5

Published

2022-03-11 12:50

Modified

2024-08-02 23:40

Severity ?

8.2 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

References

URL	Tags
security@huntr.dev	https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d	Exploit, Issue Tracking, Patch, Third Party Advisory
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/

Impacted products

Vendor

Product

Version

▼

cobbler

cobbler/cobbler

Version: unspecified < 3.3.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:40:04.519Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
          },
          {
            "name": "FEDORA-2022-224e71968f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
          },
          {
            "name": "FEDORA-2022-445ec90e7c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
          },
          {
            "name": "FEDORA-2022-ad2b0ad61b",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cobbler/cobbler",
          "vendor": "cobbler",
          "versions": [
            {
              "lessThan": "3.3.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-31T02:06:16",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
        },
        {
          "name": "FEDORA-2022-224e71968f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
        },
        {
          "name": "FEDORA-2022-445ec90e7c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
        },
        {
          "name": "FEDORA-2022-ad2b0ad61b",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
        }
      ],
      "source": {
        "advisory": "c458b868-63df-414e-af10-47e3745caa1d",
        "discovery": "EXTERNAL"
      },
      "title": "Improper Authorization in cobbler/cobbler",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0860",
          "STATE": "PUBLIC",
          "TITLE": "Improper Authorization in cobbler/cobbler"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cobbler/cobbler",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "3.3.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "cobbler"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285 Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d",
              "refsource": "CONFIRM",
              "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
            },
            {
              "name": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa",
              "refsource": "MISC",
              "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
            },
            {
              "name": "FEDORA-2022-224e71968f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
            },
            {
              "name": "FEDORA-2022-445ec90e7c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
            },
            {
              "name": "FEDORA-2022-ad2b0ad61b",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
            }
          ]
        },
        "source": {
          "advisory": "c458b868-63df-414e-af10-47e3745caa1d",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2022-0860",
    "datePublished": "2022-03-11T12:50:10",
    "dateReserved": "2022-03-04T00:00:00",
    "dateUpdated": "2024-08-02T23:40:04.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.3.2\", \"matchCriteriaId\": \"17C04986-BDCA-44A7-8FF7-52E8A5BABFC9\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A930E247-0B43-43CB-98FF-6CE7B8189835\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.\"}, {\"lang\": \"es\", \"value\": \"Una Autorizaci\\u00f3n Inapropiada en el repositorio GitHub cobbler/cobbler versiones anteriores a 3.3.2\"}]",
      "id": "CVE-2022-0860",
      "lastModified": "2024-11-21T06:39:32.823",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 9.1, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.2}], \"cvssMetricV30\": [{\"source\": \"security@huntr.dev\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"baseScore\": 8.2, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 4.2}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:N\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-03-11T13:15:07.937",
      "references": "[{\"url\": \"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa\", \"source\": \"security@huntr.dev\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d\", \"source\": \"security@huntr.dev\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/\", \"source\": \"security@huntr.dev\"}, {\"url\": \"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security@huntr.dev",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@huntr.dev\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-285\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-863\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-0860\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2022-03-11T13:15:07.937\",\"lastModified\":\"2024-11-21T06:39:32.823\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.\"},{\"lang\":\"es\",\"value\":\"Una Autorizaci\u00f3n Inapropiada en el repositorio GitHub cobbler/cobbler versiones anteriores a 3.3.2\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}],\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3.2\",\"matchCriteriaId\":\"17C04986-BDCA-44A7-8FF7-52E8A5BABFC9\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD\"}]}]}],\"references\":[{\"url\":\"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa\",\"source\":\"security@huntr.dev\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d\",\"source\":\"security@huntr.dev\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

ghsa-mcg6-h362-cmq5

Vulnerability from github

Published

2022-03-11 20:52

Modified

2024-11-18 16:26

Severity ?

8.2 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
6.7 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Summary

Improper Authorization in cobbler

Details

Impact

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).

The same applies to user accounts with passwords set to be expired.

Patches

There is a patch for the latest Cobbler 3.3.2 available, however a backport will be done for 3.2.x.

Workarounds

Delete expired accounts which are able to access Cobbler via PAM.
Use chage -l <username> to lock the account. If the account has SSH-Keys attached then remove them completely.

References

Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/

How to test if my Cobbler instance is affected?

The following pytest test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.

```python def test_pam_login_with_expired_user(): # Arrange # create pam testuser test_username = "expired_user" test_password = "password" test_api = CobblerAPI() subprocess_1 = subprocess.run( ["perl", "-e", "'print crypt(\"%s\", \"%s\")'" % (test_username, test_password)], stdout=subprocess.PIPE ) subprocess.run(["useradd", "-p", subprocess_1.stdout, test_username]) # change user to be expired subprocess.run(["chage", "-E0", test_username])

# Act
result = pam.authenticate(test_api, test_username, test_password)

# Assert - login should fail
assert not result

```

For more information

If you have any questions or comments about this advisory: * Open an issue in the Cobbler repository * Ask in the Gitter/Matrix Chat * Email us at cobbler.project@gmail.com

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cobbler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-11T20:52:04Z",
    "nvd_published_at": "2022-03-11T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIf PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI \u0026 XMLRPC-API).\n\nThe same applies to user accounts with passwords set to be expired.\n\n### Patches\n\nThere is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`.\n\n### Workarounds\n\n- Delete expired accounts which are able to access Cobbler via PAM.\n- Use `chage -l \u003cusername\u003e` to lock the account. If the account has SSH-Keys attached then remove them completely.\n\n### References\n\n- Originally discovered by @ysf at https://www.huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d/\n\n### How to test if my Cobbler instance is affected?\n\nThe following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.\n\n```python\ndef test_pam_login_with_expired_user():\n    # Arrange\n    # create pam testuser\n    test_username = \"expired_user\"\n    test_password = \"password\"\n    test_api = CobblerAPI()\n    subprocess_1 = subprocess.run(\n        [\"perl\", \"-e\", \"\u0027print crypt(\\\"%s\\\", \\\"%s\\\")\u0027\" % (test_username, test_password)],\n        stdout=subprocess.PIPE\n    )\n    subprocess.run([\"useradd\", \"-p\", subprocess_1.stdout, test_username])\n    # change user to be expired\n    subprocess.run([\"chage\", \"-E0\", test_username])\n\n    # Act\n    result = pam.authenticate(test_api, test_username, test_password)\n\n    # Assert - login should fail\n    assert not result\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the Cobbler repository](https://github.com/cobbler/cobbler/issues/new/choose)\n* Ask in the [Gitter/Matrix Chat](https://gitter.im/cobbler/community)\n* Email us at [cobbler.project@gmail.com](mailto:cobbler.project@gmail.com)\n",
  "id": "GHSA-mcg6-h362-cmq5",
  "modified": "2024-11-18T16:26:19Z",
  "published": "2022-03-11T20:52:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0860"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cobbler/cobbler"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-177.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Authorization in cobbler"
}

fkie_cve-2022-0860

Vulnerability from fkie_nvd

Published

2022-03-11 13:15

Modified

2024-11-21 06:39

Severity ?

9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

References

URL	Tags
security@huntr.dev	https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa	Patch, Third Party Advisory
security@huntr.dev	https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d	Exploit, Issue Tracking, Patch, Third Party Advisory
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/
security@huntr.dev	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d	Exploit, Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/

Impacted products

Vendor	Product	Version
cobbler_project	cobbler	*
fedoraproject	fedora	34
fedoraproject	fedora	35
fedoraproject	fedora	36

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "17C04986-BDCA-44A7-8FF7-52E8A5BABFC9",
              "versionEndExcluding": "3.3.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
              "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
              "matchCriteriaId": "80E516C0-98A4-4ADE-B69F-66A772E2BAAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2."
    },
    {
      "lang": "es",
      "value": "Una Autorizaci\u00f3n Inapropiada en el repositorio GitHub cobbler/cobbler versiones anteriores a 3.3.2"
    }
  ],
  "id": "CVE-2022-0860",
  "lastModified": "2024-11-21T06:39:32.823",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.4,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-03-11T13:15:07.937",
  "references": [
    {
      "source": "security@huntr.dev",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
    },
    {
      "source": "security@huntr.dev",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

wid-sec-w-2022-1867

Vulnerability from csaf_certbund

Published

2022-03-13 23:00

Modified

2024-02-26 23:00

Summary

cobbler: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Cobbler ist ein Linux Installationsserver, welcher die schnelle Einrichtung von Netzwerk-Installationsumgebungen ermöglicht.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in cobbler ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Cobbler ist ein Linux Installationsserver, welcher die schnelle Einrichtung von Netzwerk-Installationsumgebungen erm\u00f6glicht.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in cobbler ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1867 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1867.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1867 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1867"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2022-03-13",
        "url": "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3750-1 vom 2022-10-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012690.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:1832-1 vom 2023-05-04",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-May/014723.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6475-1 vom 2023-11-15",
        "url": "https://ubuntu.com/security/notices/USN-6475-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:1831-1 vom 2024-02-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/018015.html"
      }
    ],
    "source_lang": "en-US",
    "title": "cobbler: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2024-02-26T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:37:08.166+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-1867",
      "initial_release_date": "2022-03-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-03-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-03-23T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: FEDORA-2022-AD2B0AD61B, FEDORA-2022-224E71968F, FEDORA-2022-445EC90E7C"
        },
        {
          "date": "2022-10-26T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-05-04T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-11-14T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-02-26T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 3.3.2",
                "product": {
                  "name": "Open Source cobbler \u003c 3.3.2",
                  "product_id": "T022320"
                }
              }
            ],
            "category": "product_name",
            "name": "cobbler"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0860",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in cobbler. Der Fehler besteht in der M\u00f6glichkeit, dass ein abgelaufenes Benutzerkonto immer noch in der Lage ist, sich an allen Stellen (Web UI, CLI \u0026 XMLRPC-API) erfolgreich anzumelden. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-0860"
    }
  ]
}

WID-SEC-W-2022-1867

Vulnerability from csaf_certbund

Published

2022-03-13 23:00

Modified

2024-02-26 23:00

Summary

cobbler: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Produktbeschreibung

Cobbler ist ein Linux Installationsserver, welcher die schnelle Einrichtung von Netzwerk-Installationsumgebungen ermöglicht.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in cobbler ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- UNIX - Linux

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Cobbler ist ein Linux Installationsserver, welcher die schnelle Einrichtung von Netzwerk-Installationsumgebungen erm\u00f6glicht.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in cobbler ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX\n- Linux",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-1867 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-1867.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-1867 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1867"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2022-03-13",
        "url": "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2022:3750-1 vom 2022-10-26",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2022-October/012690.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:1832-1 vom 2023-05-04",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-May/014723.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-6475-1 vom 2023-11-15",
        "url": "https://ubuntu.com/security/notices/USN-6475-1"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2023:1831-1 vom 2024-02-27",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-February/018015.html"
      }
    ],
    "source_lang": "en-US",
    "title": "cobbler: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2024-02-26T23:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:37:08.166+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2022-1867",
      "initial_release_date": "2022-03-13T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-03-13T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-03-23T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: FEDORA-2022-AD2B0AD61B, FEDORA-2022-224E71968F, FEDORA-2022-445EC90E7C"
        },
        {
          "date": "2022-10-26T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-05-04T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2023-11-14T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2024-02-26T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von SUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 3.3.2",
                "product": {
                  "name": "Open Source cobbler \u003c 3.3.2",
                  "product_id": "T022320"
                }
              }
            ],
            "category": "product_name",
            "name": "cobbler"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-0860",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in cobbler. Der Fehler besteht in der M\u00f6glichkeit, dass ein abgelaufenes Benutzerkonto immer noch in der Lage ist, sich an allen Stellen (Web UI, CLI \u0026 XMLRPC-API) erfolgreich anzumelden. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T002207",
          "T000126"
        ]
      },
      "release_date": "2022-03-13T23:00:00.000+00:00",
      "title": "CVE-2022-0860"
    }
  ]
}

gsd-2022-0860

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

Aliases

CVE-2022-0860

Aliases

CVE-2022-0860

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-0860",
    "description": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.",
    "id": "GSD-2022-0860",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-0860.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-0860"
      ],
      "details": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.",
      "id": "GSD-2022-0860",
      "modified": "2023-12-13T01:19:11.781375Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.dev",
        "ID": "CVE-2022-0860",
        "STATE": "PUBLIC",
        "TITLE": "Improper Authorization in cobbler/cobbler"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "cobbler/cobbler",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "3.3.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "cobbler"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.0"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-285 Improper Authorization"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d",
            "refsource": "CONFIRM",
            "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
          },
          {
            "name": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa",
            "refsource": "MISC",
            "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
          },
          {
            "name": "FEDORA-2022-224e71968f",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
          },
          {
            "name": "FEDORA-2022-445ec90e7c",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
          },
          {
            "name": "FEDORA-2022-ad2b0ad61b",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
          }
        ]
      },
      "source": {
        "advisory": "c458b868-63df-414e-af10-47e3745caa1d",
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.3.2",
          "affected_versions": "All versions before 3.3.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-03-11",
          "description": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.",
          "fixed_versions": [
            "3.3.2"
          ],
          "identifier": "CVE-2022-0860",
          "identifiers": [
            "GHSA-mcg6-h362-cmq5",
            "CVE-2022-0860"
          ],
          "not_impacted": "All versions starting from 3.3.2",
          "package_slug": "pypi/Cobbler",
          "pubdate": "2022-03-11",
          "solution": "Upgrade to version 3.3.2 or above.",
          "title": "Improper Authorization in cobbler",
          "urls": [
            "https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0860",
            "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa",
            "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d",
            "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
          ],
          "uuid": "475723c9-d999-4a89-a7f0-4ad527660320"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:cobbler_project:cobbler:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.3.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@huntr.dev",
          "ID": "CVE-2022-0860"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-285"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
            },
            {
              "name": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
            },
            {
              "name": "FEDORA-2022-224e71968f",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
            },
            {
              "name": "FEDORA-2022-ad2b0ad61b",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
            },
            {
              "name": "FEDORA-2022-445ec90e7c",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 6.4,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.2
        }
      },
      "lastModifiedDate": "2022-05-23T22:05Z",
      "publishedDate": "2022-03-11T13:15Z"
    }
  }
}

pysec-2022-177

Vulnerability from pysec

Published

2022-03-11 13:15

Modified

2022-04-11 00:47

Details

Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cobbler",
        "purl": "pkg:pypi/cobbler"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9044aa990a94752fa5bd5a24051adde099280bfa"
            }
          ],
          "repo": "https://github.com/cobbler/cobbler",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6.3-2",
        "3.1.2",
        "3.2.1",
        "3.2.2",
        "3.3.0",
        "3.3.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0860",
    "GHSA-mcg6-h362-cmq5"
  ],
  "details": "Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.",
  "id": "PYSEC-2022-177",
  "modified": "2022-04-11T00:47:24.533946Z",
  "published": "2022-03-11T13:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"
    },
    {
      "type": "FIX",
      "url": "https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-mcg6-h362-cmq5"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2022-0860

Vulnerability from cvelistv5

ghsa-mcg6-h362-cmq5

Vulnerability from github

Impact

Patches

Workarounds

References

How to test if my Cobbler instance is affected?

For more information

fkie_cve-2022-0860

Vulnerability from fkie_nvd

wid-sec-w-2022-1867

Vulnerability from csaf_certbund

WID-SEC-W-2022-1867

Vulnerability from csaf_certbund

gsd-2022-0860

Vulnerability from gsd

pysec-2022-177

Vulnerability from pysec

Tags

Sightings

Nomenclature