An API-exposure flaw was found in cobbler, where it exported CobblerXMLRPCInterface private functions over XMLRPC. A remote, unauthenticated attacker could use this flaw to gain important privileges within cobbler, as well as upload files to an arbitrary location in the daemon context.
This issue has been addressed in the following products:
Red Hat Satellite 5.6
Red Hat Satellite 5.7
Red Hat Satellite 5.8
Via RHSA-2018:2372 https://access.redhat.com/errata/RHSA-2018:2372
Mitigation:
If SELinux is enabled, it might prevent some locations from accepting uploaded files from the attacker. This prevents some basic attacks allowing remote code execution, although it would not exclude all other possibilities.