{"schema_version":"1.7.2","id":"OESA-2025-1527","modified":"2025-05-16T13:25:08Z","published":"2025-05-16T13:25:08Z","upstream":["CVE-2021-40323","CVE-2021-40324","CVE-2021-45081","CVE-2021-45082","CVE-2021-45083"],"summary":"cobbler security update","details":"Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, \u0026amp;apos;koan\u0026amp;apos;, that integrates with cobbler. Cobbler\u0026amp;apos;s advanced features include importing distributions from DVDs and rsync mirrors, kickstart templating, integrated yum mirroring, and built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration with other applications.\r\n\r\nSecurity Fix(es):\n\nCobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.(CVE-2021-40323)\n\nCobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.(CVE-2021-40324)\n\nAn issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.(CVE-2021-45081)\n\nAn issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the \u0026quot;#from MODULE import\u0026quot; substring. (Only lines beginning with #import are blocked.)(CVE-2021-45082)\n\nAn issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it\u0026apos;s trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.(CVE-2021-45083)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"cobbler","purl":"pkg:rpm/openEuler/cobbler\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.3-2.oe2403"}]}],"ecosystem_specific":{"noarch":["cobbler-3.2.3-2.oe2403.noarch.rpm","cobbler-web-3.2.3-2.oe2403.noarch.rpm"],"src":["cobbler-3.2.3-2.oe2403.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1527"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40323"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40324"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45081"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45082"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45083"}],"database_specific":{"severity":"Critical"}}