Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 9 Aug 2018 17:42:39 +0200
From: Cedric Buissart <>
Subject: cobbler CVE-2018-10931: CobblerXMLRPCInterface exports internal only
 functions over XMLRPC

Cobbler is a Linux installation server that allows for rapid setup of
installation environments. It is used in products like Red Hat Enterprise
Satellite 5 and Spacewalk.  Upstream project is at :

While diagnosing the following 2 flaws :

Another flaw has been found: cobbler exposes all functions from its
CobblerXMLRPCInterface class over XMLRPC. However, python renames the __*
function with _<classname>__<functionname>.  A remote, unauthenticated
could use this flaw by calling the real name of any __* function and gain
privileges within cobbler or upload files to arbitrary location in the
of the daemon.  This is identified as CVE-2018-10931

All versions of cobbler (at least since 2.0.7) are affected.

To reproduce the issue: use the reproducers from the report above and call
__<name> function as _CobblerXMLRPCInterface__<name>

The patch for this specific vulnerability (i.e.: it does *not* fix the
vulnerability reported by :

 cobbler/ | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cobbler/ b/cobbler/
index 94a18e7..ea0e354 100644
--- a/cobbler/
+++ b/cobbler/
@@ -1752,6 +1752,9 @@ class ProxiedXMLRPCInterface:

     def _dispatch(self, method, params, **rest):

+        if method.startswith('_'):
+            raise CX("forbidden method")
         if not hasattr(self.proxied, method):
             raise CX("unknown remote method")


Best regards,

Cedric Buissart,
Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ