CVE-2012-2395

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2012-2395
Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00016.html
http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00000.html
http://www.openwall.com/lists/oss-security/2012/05/23/18
http://www.openwall.com/lists/oss-security/2012/05/23/4
http://www.osvdb.org/82458
http://www.securityfocus.com/bid/53666
https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
https://github.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf Exploit Patch
https://github.com/cobbler/cobbler/issues/141
Configurations

Configuration 1 (hide)

cpe:2.3:a:michael_dehaan:cobbler:2.2.0:*:*:*:*:*:*:*
History

13 Feb 2023, 04:33

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/errata/RHSA-2012:1060', 'name': 'https://access.redhat.com/errata/RHSA-2012:1060', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://access.redhat.com/security/cve/CVE-2012-2395', 'name': 'https://access.redhat.com/security/cve/CVE-2012-2395', 'tags': [], 'refsource': 'MISC'}
  • {'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=824460', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=824460', 'tags': [], 'refsource': 'MISC'}
Summary CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

02 Feb 2023, 14:16

Type Values Removed Values Added
References
  • (MISC) https://access.redhat.com/errata/RHSA-2012:1060 -
  • (MISC) https://access.redhat.com/security/cve/CVE-2012-2395 -
  • (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=824460 -
Summary Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API. CVE-2012-2395 cobbler: command injection flaw in the power management XML-RPC API
Information

Published : 2012-06-16 00:55

Updated : 2023-12-10 11:16

NVD link : CVE-2012-2395

Mitre link : CVE-2012-2395

CVE.ORG link : CVE-2012-2395

JSON object : View

Products Affected

michael_dehaan

  • cobbler
CWE
NVD-CWE-Other