← back
CVE-2018-1000226

CVE-2018-1000226

EPSS 12.5%
Vexday Risk Score
23Low
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS EPSS 12.5%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
20 Aug 2018Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/cobbler/cobbler/issues/1916https://movermeyer.com/2018-08-02-privilege-escalation-exploits-in-cobblers-api/