Bug 2006904 (CVE-2021-40325)

Summary: CVE-2021-40325 cobbler: Authorization bypass allows modifying settings
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brejoc, jimi, kwizart, mmraka, ngompa13, orion, scott, tkasparek, tlestach, vanmeeuwen+fedora
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cobbler 3.3.0, cobbler 3.2.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in cobbler. This flaw lies in the token validation and could allow an attacker to bypass authorization and modify settings.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-24 08:52:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2006907, 2006906    
Bug Blocks: 2006908    

Description Pedro Sampaio 2021-09-22 16:15:17 UTC 
A flaw was found in Cobbler. Authorization bypass allows modifying settings.

References:

https://lists.suse.com/pipermail/sle-security-updates/2021-September/009468.html
https://github.com/cobbler/cobbler/issues/2795
https://github.com/cobbler/cobbler/pull/2794
Comment 1 Pedro Sampaio 2021-09-22 16:17:27 UTC 
Created cobbler tracking bugs for this issue:

Affects: epel-7 [bug 2006907]
Affects: fedora-all [bug 2006906]