{"schema_version":"1.7.2","id":"OESA-2025-1413","modified":"2025-04-11T13:44:37Z","published":"2025-04-11T13:44:37Z","upstream":["CVE-2024-47533"],"summary":"cobbler security update","details":"Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, \u0026amp;apos;koan\u0026amp;apos;, that integrates with cobbler. Cobbler\u0026amp;apos;s advanced features include importing distributions from DVDs and rsync mirrors, kickstart templating, integrated yum mirroring, and built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration with other applications.\r\n\r\nSecurity Fix(es):\n\nCobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `\u0026apos;\u0026apos;` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.(CVE-2024-47533)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"cobbler","purl":"pkg:rpm/openEuler/cobbler\u0026distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.0-5.oe2403sp1"}]}],"ecosystem_specific":{"noarch":["cobbler-3.2.0-5.oe2403sp1.noarch.rpm","cobbler-web-3.2.0-5.oe2403sp1.noarch.rpm"],"src":["cobbler-3.2.0-5.oe2403sp1.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1413"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47533"}],"database_specific":{"severity":"Critical"}}