CVE-2021-45082: 
Python vulnerability analysis and mitigation

An issue was discovered in Cobbler before version 3.3.1. In the templar.py file, the function checkforinvalid_imports can allow Cheetah code to import Python modules via the '#from MODULE import' substring, while only lines beginning with #import are blocked (NVD, CVE).

The vulnerability is classified as a Command Injection issue (CWE-77) with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack requires local access with low complexity and low privileges, requiring no user interaction. The vulnerability has the potential to impact confidentiality, integrity, and availability at a high level, with the attack vector being local (NVD).

The vulnerability allows an attacker to bypass the template sanitization mechanism and potentially execute arbitrary Python code through template imports. This could lead to unauthorized code execution with elevated privileges on the affected system (SUSE Bugzilla).

The vulnerability was fixed in Cobbler version 3.3.1. Users are advised to upgrade to this version or later. For Fedora users, security updates were released for Fedora 34 (cobbler-3.2.2-10.fc34), Fedora 35 (cobbler-3.2.2-10.fc35), and Fedora 36 (cobbler-3.3.1-1.fc36) (Fedora Updates).