How severe is CVE-2018-1000226?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2018-1000226?

This is classified as CWE-732, which is a common weakness in software security.

CVE-2018-1000226 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Cobbler version Verified as present in Cobbler versions 2.6.11+, but code inspection suggests at least 2.0.0+ or possibly even older versions may be vulnerable contains a Incorrect Access Control vulnerability in XMLRPC API (/cobbler_api) that can result in Privilege escalation, data manipulation or exfiltration, LDAP credential harvesting. This attack appear to be exploitable via "network connectivity". Taking advantage of improper validation of security tokens in API endpoints. Please note this is a different issue than CVE-2018-10931.

Related Vulnerabilities

CVE-2011-3923

CRITICAL

CVSS:9.8(Critical)

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

CWE-7322011

CVE-2012-2087

CRITICAL

CVSS:9.8(Critical)

ISPConfig 3.0.4.3: the "Add new Webdav user" can chmod and chown entire server from client interface.

CWE-7322012

CVE-2017-1000153

CRITICAL

CVSS:9.8(Critical)

Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before 16.04.4 are vulnerable to incorrect access control after the password reset link is sent via email and then user changes default ...

CWE-7322017

CVE-2017-12816

CRITICAL

CVSS:9.8(Critical)

In Kaspersky Internet Security for Android 11.12.4.1622, some of application exports activities have weak permissions, which might be used by a malware application to get unauthorized access to the pr...

CWE-7322017

CVE-2017-15877

CRITICAL

CVSS:9.8(Critical)

Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allows remote attackers to view the password and user database.

CWE-7322017

CVE-2017-16638

CRITICAL

CVSS:9.8(Critical)

The Gentoo net-misc/vde package before version 2.3.2-r4 may allow members of the "qemu" group to gain root privileges by creating a hard link in a directory on which "chown" is called recursively by t...

CWE-7322017