Main Vulnerability Database Vulnerabilities #VU41957

Improper Authentication in Puppet Enterprise - CVE-2013-4966

Published: March 9, 2014 / Updated: August 10, 2020

Vulnerability identifier: #VU41957

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4966

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Enterprise

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

How to mitigate CVE-2013-4966

Install update from vendor's website.

Sources

http://puppetlabs.com/security/cve/cve-2013-4966
http://www.securitytracker.com/id/1029873

Improper Authentication in Puppet Enterprise - CVE-2013-4966

Detailed vulnerability description

How to mitigate CVE-2013-4966

Sources

Please verify you're human