2327035 – (CVE-2024-47533) CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes

Bug 2327035 (CVE-2024-47533) - CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC server with a known password and make changes

Summary: CVE-2024-47533 cobbler: Cobbler allows anyone to connect to cobbler XML-RPC s...

Keywords:
Status:	NEW
Alias:	CVE-2024-47533
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2327075 2327076 2327077 2327078 2327079 2327080 2327081 2327082
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-18 17:02 UTC by OSIDB Bzimport
Modified:	2024-11-18 18:47 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-18 17:02:29 UTC

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Note You need to log in before you can comment on or make changes to this bug.