Main Vulnerability Database Vulnerabilities #VU42649

Credentials management in Puppet Enterprise - CVE-2013-4962

Published: August 21, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42649

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4962

CWE-ID: CWE-255

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Enterprise

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.

How to mitigate CVE-2013-4962

Install update from vendor's website.

Sources

http://puppetlabs.com/security/cve/cve-2013-4962/

Credentials management in Puppet Enterprise - CVE-2013-4962

Detailed vulnerability description

How to mitigate CVE-2013-4962

Sources

Please verify you're human