CVE-2024-47533

Publication date 18 November 2024

Last updated 20 November 2024

Ubuntu priority

Cobbler, a Linux installation server that allows for rapid setup of network installation environments, has an improper authentication vulnerability starting in version 3.0.0 and prior to versions 3.2.3 and 3.3.7. `utils.get_shared_secret()` always returns `-1`, which allows anyone to connect to cobbler XML-RPC as user `''` password `-1` and make any changes. This gives anyone with network access to a cobbler server full control of the server. Versions 3.2.3 and 3.3.7 fix the issue.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
cobbler	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	16.04 LTS xenial	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2024-47533
https://github.com/cobbler/cobbler/security/advisories/GHSA-m26c-fcgh-cp6h
https://github.com/cobbler/cobbler/commit/32c5cada013dc8daa7320a8eda9932c2814742b0
https://github.com/cobbler/cobbler/commit/e19717623c10b29e7466ed4ab23515a94beb2dda