CVE-2018-10931:
Cobbler has Exposed Dangerous Method or Function
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.98475%
CWE
Published
5/13/2022
Updated
2/8/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
cobbler | pip | >= 2.6.0, < 3.0.0 | 3.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from CobblerXMLRPCInterface exposing all class methods over XMLRPC without proper authentication. The GitHub commit explicitly adds access checks to 'modify_setting', confirming it was previously unprotected. This function's ability to alter system settings (like security flags) made it a critical attack vector. While other methods in the class were likely also exposed, 'modify_setting' is specifically documented in the patch and vulnerability reports as a key entry point for privilege escalation.