Skip to content

Cobbler vulnerable to code injection via unsafe YAML loading

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Jan 15, 2024

Package

pip cobbler (pip)

Affected versions

< 2.6.0

Patched versions

2.6.0

Description

The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.

References

Published by the National Vulnerability Database Oct 27, 2014
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jan 15, 2024
Last updated Jan 15, 2024

Severity

Moderate

EPSS score

0.720%
(81st percentile)

Weaknesses

CVE ID

CVE-2011-4953

GHSA ID

GHSA-hpj3-5p46-g87w

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.