Main Vulnerability Database SB2014030902

SB2014030902 - Multiple vulnerabilities in Puppet Enterprise

Published: March 9, 2014 Updated: August 10, 2020

Security Bulletin ID SB2014030902

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2013-4966)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4971)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors.

Remediation

Install update from vendor's website.

SB2014030902 - Multiple vulnerabilities in Puppet Enterprise

Breakdown by Severity

Description

Remediation

References

Please verify you're human