{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-04-20T00:00:00", "descriptions": [{"lang": "en", "value": "Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-07-23T09:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "SUSE-SU-2012:0814", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html"}, {"name": "[oss-security] 20120523 CVE request: cobbler command injection", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/05/23/4"}, {"name": "53666", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/53666"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf"}, {"name": "[oss-security] 20120523 Re: CVE request: cobbler command injection", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2012/05/23/18"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cobbler/cobbler/issues/141"}, {"name": "openSUSE-SU-2012:0655", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html"}, {"name": "82458", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://www.osvdb.org/82458"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T19:34:24.283Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SU-2012:0814", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html"}, {"name": "[oss-security] 20120523 CVE request: cobbler command injection", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/05/23/4"}, {"name": "53666", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/53666"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf"}, {"name": "[oss-security] 20120523 Re: CVE request: cobbler command injection", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2012/05/23/18"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/cobbler/cobbler/issues/141"}, {"name": "openSUSE-SU-2012:0655", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html"}, {"name": "82458", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://www.osvdb.org/82458"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-2395", "datePublished": "2012-06-16T00:00:00", "dateReserved": "2012-04-19T00:00:00", "dateUpdated": "2024-08-06T19:34:24.283Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "3937A0E5-7F9D-4FC5-9D0A-EE11C43A51FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API."}, {"lang": "es", "value": "Vulnerabilidad de lista negra incompleta en action_power.py de Cobbler 2.2.0. Permite a atacantes remotos ejecutar comandos arbitrarios a trav\u00e9s de meta-caracteres de shell en los campos (1) username o (2) password del m\u00e9todo power_system method del API xmlrpc."}], "id": "CVE-2012-2395", "lastModified": "2024-11-21T01:39:00.770", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-06-16T00:55:07.310", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/05/23/18"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2012/05/23/4"}, {"source": "secalert@redhat.com", "url": "http://www.osvdb.org/82458"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/53666"}, {"source": "secalert@redhat.com", "url": "https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Patch"], "url": "https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf"}, {"source": "secalert@redhat.com", "url": "https://github.com/cobbler/cobbler/issues/141"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/05/23/18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2012/05/23/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.osvdb.org/82458"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/53666"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Patch"], "url": "https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/cobbler/cobbler/issues/141"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2012:1060", "cpe": "cpe:/a:redhat:network_satellite:5.4::el5", "impact": "moderate", "package": "cobbler-0:2.0.7-14.6.el6sat", "product_name": "Red Hat Network Satellite Server v 5.4", "release_date": "2012-07-09T00:00:00Z"}], "bugzilla": {"description": "cobbler: command injection flaw in the power management XML-RPC API", "id": "824460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=824460"}, "csaw": false, "cvss": {"cvss_base_score": "8.5", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "status": "verified"}, "cwe": "CWE-78", "details": ["Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API."], "name": "CVE-2012-2395", "package_state": [{"cpe": "cpe:/a:redhat:network_satellite:5.3", "fix_state": "Not affected", "impact": "moderate", "package_name": "Server", "product_name": "Red Hat Satellite 5.3"}], "public_date": "2012-04-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-2395\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-2395"], "statement": "This issue did not affect the version of cobbler as shipped with Red Hat Network Satellite Server 5.3.0, as it did not include the upstream commit 0e5f6f2d50d460f4c6b0c9f62cfed0ff5c546906 that introduced this flaw. This issue affects the version of cobbler as shipped with Red Hat Network Satellite Server 5.4.0.", "threat_severity": "Important"}