9.8

CVE-2024-47533

EPSS 53.69%
Veröffentlicht 18.11.2024 17:15:11
Zuletzt bearbeitet 19.11.2024 21:57:56
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellercobbler_project

≫

Produkt cobbler

Default Statusunknown

Version < 3.2.3

Version 3.0.0

Status affected

Version < 3.3.7

Version 3.3.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	53.69%	0.979

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0

https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda

https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h

https://nvd.nist.gov/vuln/detail/CVE-2024-47533

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47533

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47533

EUVD