{"url":"http://public2.vulnerablecode.io/api/packages/23872?format=json","purl":"pkg:pypi/cobbler@0.6.3.post2","type":"pypi","namespace":"","name":"cobbler","version":"0.6.3.post2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.0.0","latest_non_vulnerable_version":"3.3.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35882?format=json","vulnerability_id":"VCID-3uqv-f4em-4qag","summary":"Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection.","references":[{"reference_url":"https://github.com/advisories/GHSA-cpqf-3c3r-c9g2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cpqf-3c3r-c9g2"},{"reference_url":"https://github.com/cobbler/cobbler","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler"},{"reference_url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"},{"reference_url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-373.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-373.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40323","reference_id":"CVE-2021-40323","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40323"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23876?format=json","purl":"pkg:pypi/cobbler@3.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gxpd-rmnn-67cm"},{"vulnerability":"VCID-n8d7-2mjk-wbc8"},{"vulnerability":"VCID-nrb3-t9dq-x7hw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.0"}],"aliases":["CVE-2021-40323","GHSA-cpqf-3c3r-c9g2","PYSEC-2021-373"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3uqv-f4em-4qag"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36036?format=json","vulnerability_id":"VCID-gxpd-rmnn-67cm","summary":"An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.","references":[{"reference_url":"https://bugzilla.suse.com/show_bug.cgi?id=1193671","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1193671"},{"reference_url":"https://github.com/advisories/GHSA-5946-mpw5-pqxx","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5946-mpw5-pqxx"},{"reference_url":"https://github.com/cobbler/cobbler","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler"},{"reference_url":"https://github.com/cobbler/cobbler/commit/10b2112db83fedfc391e900edfedc2b4e507d3f7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/commit/10b2112db83fedfc391e900edfedc2b4e507d3f7"},{"reference_url":"https://github.com/cobbler/cobbler/pull/2945","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/pull/2945"},{"reference_url":"https://github.com/cobbler/cobbler/releases","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases"},{"reference_url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.1"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-38.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-38.yaml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TEJN7CPW6YCHBFQPFZKGA6AVA6T5NPIW"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z5CSXQE7Q4TVDQJKFYBO4XDH3BZ7BLAR"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCXMOUW4DH4DYWIJN44SMSU6R3CZDZBE"},{"reference_url":"https://www.openwall.com/lists/oss-security/2022/02/18/3","reference_id":"","reference_type":"","scores":[],"url":"https://www.openwall.com/lists/oss-security/2022/02/18/3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45083","reference_id":"CVE-2021-45083","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45083"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26620?format=json","purl":"pkg:pypi/cobbler@3.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n8d7-2mjk-wbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.1"}],"aliases":["CVE-2021-45083","GHSA-5946-mpw5-pqxx","PYSEC-2022-38"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gxpd-rmnn-67cm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35881?format=json","vulnerability_id":"VCID-hpkx-7ure-6qbf","summary":"Cobbler before 3.3.0 allows authorization bypass for modification of settings.","references":[{"reference_url":"https://github.com/advisories/GHSA-cr3f-r24j-3chw","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cr3f-r24j-3chw"},{"reference_url":"https://github.com/cobbler/cobbler","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler"},{"reference_url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"},{"reference_url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-375.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-375.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40325","reference_id":"CVE-2021-40325","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40325"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23876?format=json","purl":"pkg:pypi/cobbler@3.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gxpd-rmnn-67cm"},{"vulnerability":"VCID-n8d7-2mjk-wbc8"},{"vulnerability":"VCID-nrb3-t9dq-x7hw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.0"}],"aliases":["CVE-2021-40325","GHSA-cr3f-r24j-3chw","PYSEC-2021-375"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hpkx-7ure-6qbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36056?format=json","vulnerability_id":"VCID-n8d7-2mjk-wbc8","summary":"Improper Authorization in GitHub repository cobbler/cobbler prior to 3.3.2.","references":[{"reference_url":"https://github.com/advisories/GHSA-mcg6-h362-cmq5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mcg6-h362-cmq5"},{"reference_url":"https://github.com/cobbler/cobbler","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler"},{"reference_url":"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/commit/9044aa990a94752fa5bd5a24051adde099280bfa"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-177.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2022-177.yaml"},{"reference_url":"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d","reference_id":"","reference_type":"","scores":[],"url":"https://huntr.dev/bounties/c458b868-63df-414e-af10-47e3745caa1d"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D4KCNZYBQC2FM5SEEDRQZO4LRZ4ZECMG/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DYWYHWVVRUSPCV5SWBOSAMQJQLTSBTKY/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IYSHMF6MEIITFAG7EJ3IQKVUN7MDV2XM/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0860","reference_id":"CVE-2022-0860","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0860"},{"reference_url":"https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5","reference_id":"GHSA-mcg6-h362-cmq5","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/security/advisories/GHSA-mcg6-h362-cmq5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26967?format=json","purl":"pkg:pypi/cobbler@3.3.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.2"}],"aliases":["CVE-2022-0860","GHSA-mcg6-h362-cmq5","PYSEC-2022-177"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n8d7-2mjk-wbc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36035?format=json","vulnerability_id":"VCID-nrb3-t9dq-x7hw","summary":"An issue was discovered in Cobbler before 3.3.1. In the templar.py file, the function check_for_invalid_imports can allow Cheetah code to import Python modules via the \"#from MODULE import\" substring. (Only lines beginning with #import are blocked.)","references":[{"reference_url":"https://bugzilla.suse.com/show_bug.cgi?id=1193678","reference_id":"","reference_type":"","scores":[],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1193678"},{"reference_url":"https://github.com/advisories/GHSA-6cm4-gm85-972c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6cm4-gm85-972c"},{"reference_url":"https://github.com/cobbler/cobbler/pull/2945","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/pull/2945"},{"reference_url":"https://github.com/cobbler/cobbler/releases","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases"},{"reference_url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.1","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45082","reference_id":"CVE-2021-45082","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45082"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26620?format=json","purl":"pkg:pypi/cobbler@3.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-n8d7-2mjk-wbc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.1"}],"aliases":["CVE-2021-45082","GHSA-6cm4-gm85-972c","PYSEC-2022-37"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nrb3-t9dq-x7hw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35880?format=json","vulnerability_id":"VCID-y965-s4eq-vfee","summary":"Cobbler before 3.3.0 allows arbitrary file write operations via upload_log_data.","references":[{"reference_url":"https://github.com/advisories/GHSA-4cfr-gjfx-fj3x","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4cfr-gjfx-fj3x"},{"reference_url":"https://github.com/cobbler/cobbler","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler"},{"reference_url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/commit/d8f60bbf14a838c8c8a1dba98086b223e35fe70a"},{"reference_url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/cobbler/cobbler/releases/tag/v3.3.0"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-374.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cobbler/PYSEC-2021-374.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40324","reference_id":"CVE-2021-40324","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40324"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/23876?format=json","purl":"pkg:pypi/cobbler@3.3.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gxpd-rmnn-67cm"},{"vulnerability":"VCID-n8d7-2mjk-wbc8"},{"vulnerability":"VCID-nrb3-t9dq-x7hw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@3.3.0"}],"aliases":["CVE-2021-40324","GHSA-4cfr-gjfx-fj3x","PYSEC-2021-374"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y965-s4eq-vfee"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cobbler@0.6.3.post2"}