Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "python-cobbler": "2.4.1-0ubuntu2+esm1", "cobbler": "2.4.1-0ubuntu2+esm1", "cobbler-common": "2.4.1-0ubuntu2+esm1", "koan": "2.4.1-0ubuntu2+esm1", "cobbler-web": "2.4.1-0ubuntu2+esm1", "python-koan": "2.4.1-0ubuntu2+esm1" } ] }