OESA-2025-1467

Cobbler is a network install server. Cobbler supports PXE, ISO virtualized installs, and re-installing existing Linux machines. The last two modes use a helper tool, 'koan', that integrates with cobbler. Cobbler's advanced features include importing distributions from DVDs and rsync mirrors, kickstart templating, integrated yum mirroring, and built-in DHCP/DNS Management. Cobbler has a XML-RPC API for integration with other applications.

Security Fix(es):

Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.(CVE-2021-40323)

Cobbler before 3.3.0 allows arbitrary file write operations via uploadlogdata.(CVE-2021-40324)

An issue was discovered in Cobbler through 3.3.1. Routines in several files use the HTTP protocol instead of the more secure HTTPS.(CVE-2021-45081)

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function checkforinvalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)(CVE-2021-45082)

An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.(CVE-2021-45083)