7.1

CVE-2021-45083

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cobbler ProjectCobbler Version < 3.3.1
FedoraprojectFedora Version34
FedoraprojectFedora Version35
FedoraprojectFedora Version36
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.076
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov 3.6 3.9 4.9
AV:L/AC:L/Au:N/C:P/I:P/A:N
CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://github.com/cobbler/cobbler/releases
Third Party Advisory
Release Notes
https://bugzilla.suse.com/show_bug.cgi?id=1193671
Third Party Advisory
Issue Tracking
https://www.openwall.com/lists/oss-security/2022/02/18/3
Patch
Third Party Advisory
Mailing List
Mitigation