CVE-2010-2235

Cobbler < 2.0.7 - Authenticated Remote Code Execution via Cheetah Template Engine

Title source: llm
STIX 2.1

Description

template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

References (3)

Core 3
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=607662
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0775.html

Scores

EPSS 0.0333
EPSS Percentile 87.1%

Details

CWE
CWE-94
Status published
Products (50)
michael_dehaan/cobbler 0.1.1.7
michael_dehaan/cobbler 0.2.1
michael_dehaan/cobbler 0.2.2
michael_dehaan/cobbler 0.2.3
michael_dehaan/cobbler 0.2.5
michael_dehaan/cobbler 0.2.7
michael_dehaan/cobbler 0.2.8
michael_dehaan/cobbler 0.2.9
michael_dehaan/cobbler 0.3.0
michael_dehaan/cobbler 0.3.1
... and 40 more
Published Dec 09, 2010
Tracked Since Feb 18, 2026