CVE-2014-3225 — Cobbler Path Traversal vulnerability

Description

Absolute path traversal vulnerability in the web interface in Cobbler 2.4.x through 2.6.x allows remote authenticated users to read arbitrary files via the Kickstart field in a profile.

How to fix CVE-2014-3225

To remediate CVE-2014-3225, upgrade the affected package to a fixed version below.

PyPI/cobbler—upgrade to 2.6.4 or later

Is CVE-2014-3225 being exploited?

Moderate — EPSS is 6.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.6.0, < 2.6.4

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3225
PATCHgithub.com/cobbler/cobbler
WEBpacketstormsecurity.com/files/126553/Cobbler-Local-File-Inclusion.html
WEBseclists.org/oss-sec/2014/q2/273
WEB