Bug 2006840 (CVE-2021-40323)

Summary: CVE-2021-40323 cobbler: Arbitrary File Disclosure/Template Injection via generate_script RPC method
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: brejoc, jimi, kwizart, mmraka, ngompa13, orion, scott, tkasparek, tlestach, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cobbler 3.3.0, cobbler 3.2.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cobbler. This flaw lies in the generate_script RPC method, which accepts unsanitized parameters. This flaw allows an attacker to read arbitrary files on the system as root. Further, the attacker could gain arbitrary code execution using template injection against the default Cheetah template engine, leading to the exposure of sensitive information or execution of arbitrary code. The highest threat from this vulnerability is to confidentiality and integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-24 08:48:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2006884, 2006885    
Bug Blocks: 2006908    

Description Pedro Sampaio 2021-09-22 14:03:05 UTC
An arbitrary file disclosure/template injection flaw was found in Cobbler. It exposes an XMLRPC API interface that allows users to request some information without authentication.

References:

https://lists.suse.com/pipermail/sle-security-updates/2021-September/009468.html
https://github.com/cobbler/cobbler/issues/2795
https://github.com/cobbler/cobbler/pull/2794

Comment 1 Pedro Sampaio 2021-09-22 15:28:39 UTC
Created cobbler tracking bugs for this issue:

Affects: epel-7 [bug 2006885]
Affects: fedora-all [bug 2006884]