CVE-2010-2235

Impact:
Important
Public Date:
2010-10-18
CWE:
CWE-96
Bugzilla:
607662: CVE-2010-2235 RHN Satellite (cobbler): Code injection flaw (ACE as root) by processing of a specially-crafted kickstart template file

The MITRE CVE dictionary describes this issue as:

template_api.py in Cobbler before 2.0.7, as used in Red Hat Network Satellite Server and other products, does not disable the ability of the Cheetah template engine to execute Python statements contained in templates, which allows remote authenticated administrators to execute arbitrary code via a crafted kickstart template file, a different vulnerability than CVE-2008-6954.

Find out more about CVE-2010-2235 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.1
Base Metrics AV:N/AC:H/Au:S/C:C/I:C/A:C
Access Vector Network
Access Complexity High
Authentication Single
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite 5.3 (RHEL v.5) (cobbler) RHSA-2010:0775 2010-10-18
Red Hat Satellite 5.3 (RHEL v.4) (cobbler) RHSA-2010:0775 2010-10-18

Affected Packages State

Platform Package State
Red Hat Satellite 5.3 Server Affected

Acknowledgements

Red Hat would like to thank Doug Knight of University of Alaska for reporting this issue.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.