CVE-2010-2235
Cobbler < 2.0.7 - Authenticated Remote Code Execution via Cheetah Template Engine
Title source: llmDescription
template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.
References (3)
Core 3
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=607662
Vendor Advisory vendor-advisory
x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0775.html
Patch x_refsource_confirm
http://people.fedoraproject.org/~shenson/cobbler/cobbler-2.0.8.tar.gz
Scores
EPSS
0.0333
EPSS Percentile
87.1%
Details
CWE
CWE-94
Status
published
Products (50)
michael_dehaan/cobbler
0.1.1.7
michael_dehaan/cobbler
0.2.1
michael_dehaan/cobbler
0.2.2
michael_dehaan/cobbler
0.2.3
michael_dehaan/cobbler
0.2.5
michael_dehaan/cobbler
0.2.7
michael_dehaan/cobbler
0.2.8
michael_dehaan/cobbler
0.2.9
michael_dehaan/cobbler
0.3.0
michael_dehaan/cobbler
0.3.1
... and 40 more
Published
Dec 09, 2010
Tracked Since
Feb 18, 2026