CVE-2012-2395

Description

A Command Injection in action_power.py in Cobbler prior to v2.6.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) username or (2) password fields to the power_system method in the xmlrpc API.

How to fix CVE-2012-2395

To remediate CVE-2012-2395, upgrade the affected package to a fixed version below.

• PyPI/cobbler—upgrade to 2.6.0 or later

Is CVE-2012-2395 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.6.0

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-2395
• PATCHgithub.com/cobbler/cobbler
• WEBbugs.launchpad.net/ubuntu/+source/cobbler/+bug/978999
• WEBgithub.com/cobbler/cobbler/commit/6d9167e5da44eca56bdf42b5776097a6779aaadf
• WEB