CVE-2021-45082

Published: Feb 19, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the "#from MODULE import" substring. (Only lines beginning with #import are blocked.)

Affected (11)

Products: Cobbler Project: Cobbler · Opensuse: Backports, Factory · Suse: Linux Enterprise Server · +1 more

Show all products

Cobbler Project: Cobbler · Opensuse: Backports, Factory · Suse: Linux Enterprise Server · Fedoraproject: Fedora

Cobbler Project

1 product

2 products

1 product

Linux Enterprise Server

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cobbler Project Cobbler	Before 3.3.1

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Opensuse Backports	Version sle-15 sp3
Opensuse Backports	Version sle-15 sp4
Opensuse Factory	All versions
Suse Linux Enterprise Server	Version 11 sp3
Suse Linux Enterprise Server	Version 12
Suse Linux Enterprise Server	Version 15 sp2
Suse Linux Enterprise Server	Version 15 sp3

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35
Fedoraproject Fedora	Version 36

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (10)

https://bugzilla.suse.com/show_bug.cgi?id=1193678

Source: cve@mitre.org

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/cobbler/cobbler/releases

Source: cve@mitre.org

Release NotesThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE/

Source: cve@mitre.org

https://bugzilla.suse.com/show_bug.cgi?id=1193678

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/cobbler/cobbler/releases

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.