It was found that cobbler 2.6.x exposed all functions from its CobblerXMLRPCInterface class over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain high privileges within cobbler, upload files to arbitrary location in the context of the daemon.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "python-cobbler": "2.4.1-0ubuntu2+esm1", "cobbler": "2.4.1-0ubuntu2+esm1", "cobbler-common": "2.4.1-0ubuntu2+esm1", "koan": "2.4.1-0ubuntu2+esm1", "cobbler-web": "2.4.1-0ubuntu2+esm1", "python-koan": "2.4.1-0ubuntu2+esm1" } ] }