Upstream information

CVE-2012-2395 at MITRE

Description

Incomplete blacklist vulnerability in action_power.py in Cobbler 2.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 7.5
Vector AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 763610 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Server 11 SP1-CLIENT-TOOLS
  • koan >= 2.0.10-0.38.1
Patchnames:
slesctsp1-cobbler
SUSE Manager Client Tools for SLE 11 SP1
  • koan >= 2.0.10-0.38.1
Builds
SAT Patch Nr: 6378
SUSE Manager 1.2 for SLE 11 SP1
  • cobbler >= 2.0.10-0.38.1
Builds
SAT Patch Nr: 6378
openSUSE 11.4
  • cobbler >= 2.2.1-45.1
  • cobbler-web >= 2.2.1-45.1
  • koan >= 2.2.1-45.1
Patchnames:
openSUSE-2012-296
openSUSE Tumbleweed
  • cobbler >= 2.6.6-4.2
  • cobbler-tests >= 2.6.6-4.2
  • cobbler-web >= 2.6.6-4.2
  • koan >= 2.6.6-4.2
Patchnames:
openSUSE Tumbleweed GA cobbler


Status of this issue by product and package

Product(s) Source package State
SUSE Linux Enterprise Client Tools for SUSE Manager 11 SP1 cobbler Released
SUSE Manager Server 1.2 cobbler Released