Permissions, Privileges, and Access Controls in Puppet Agent and Puppet Enterprise - CVE-2013-4956
Published: August 21, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42645
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-4956
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Agent
Puppet Enterprise
Puppet Agent
Puppet Enterprise
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
How to mitigate CVE-2013-4956
Install update from vendor's website.