Permissions, Privileges, and Access Controls in Puppet
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2011-0528 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Puppet Agent Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Puppet Labs |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU42027
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2011-0528
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsPuppet Agent:
CPE2.3 External linkshttps://www.mail-archive.com/puppet-users%40googlegroups.com/msg16429.html
https://www.openwall.com/lists/oss-security/2011/01/27/6
https://www.openwall.com/lists/oss-security/2011/01/31/5
https://www.ubuntu.com/usn/USN-1365-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
