{"id":"PYSEC-2022-38","details":"An issue was discovered in Cobbler before 3.3.1. Files in /etc/cobbler are world readable. Two of those files contain some sensitive information that can be exposed to a local user who has non-privileged access to the server. The users.digest file contains the sha2-512 digest of users in a Cobbler local installation. In the case of an easy-to-guess password, it's trivial to obtain the plaintext string. The settings.yaml file contains secrets such as the hashed default password.","aliases":["CVE-2021-45083","GHSA-5946-mpw5-pqxx"],"modified":"2025-09-19T04:18:31.791523Z","published":"2022-02-20T18:15:00Z","references":[{"type":"WEB","url":"https://github.com/cobbler/cobbler/releases"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2022/02/18/3"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1193671"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-5946-mpw5-pqxx"}],"affected":[{"package":{"name":"cobbler","ecosystem":"PyPI","purl":"pkg:pypi/cobbler"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.1"}]}],"versions":["0.6.3-2","3.1.2","3.2.1","3.2.2","3.3.0","3.2.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/cobbler/PYSEC-2022-38.yaml"}}],"schema_version":"1.7.3"}