CVE-2011-4953 — Cobbler vulnerable to code injection via unsafe YAML loading

Description

The `set_mgmt_parameters` function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the `yaml.load` function instead of the `yaml.safe_load function`, as demonstrated using Puppet.

How to fix CVE-2011-4953

To remediate CVE-2011-4953, upgrade the affected package to a fixed version below.

PyPI/cobbler—upgrade to 2.6.0 or later

Is CVE-2011-4953 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.6.0

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4953
PATCHgithub.com/cobbler/cobbler
WEBlists.opensuse.org/opensuse-security-announce/2012-04/msg00019.html
WEBbugs.launchpad.net/ubuntu/oneiric/+source/cobbler/+bug/858883
WEB