N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2014-3225

GHSA ID

GHSA-xc7w-jvhx-p6q9

EPSS Score

0.90495%

CWE

CWE-22

Published

5/14/2022

Updated

4/10/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2014-3225

CVE-2014-3225: Cobbler Path Traversal vulnerability

Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2014-3225

CVE-2014-3225:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2014-3225

GHSA ID

GHSA-xc7w-jvhx-p6q9

EPSS Score

0.90495%

CWE

CWE-22

Published

5/14/2022

Updated

4/10/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cobbler	pip	>= 2.6.0, < 2.6.4	2.6.4
cobbler	pip	>= 2.4.0, < 2.4.7	2.4.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation when setting the kickstart field in profiles. The commit diff shows the vulnerable code was in remote.py's modify_item function, which processed the 'kickstart' attribute for systems without path validation. The patch added validation specifically for this attribute, confirming this was the entry point. The CWE-22 classification and exploit PoC both align with this being the vulnerable function that accepted unvalidated user input for file paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2014-3225: Cobbler Path Traversal vulnerability

CVE-2014-3225:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2014-3225: Cobbler Path Traversal vulnerability

Basic Information

Basic Information

Technical Details

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI