Main Vulnerability Database Vulnerabilities #VU42650

Permissions, Privileges, and Access Controls in Puppet Enterprise - CVE-2013-4964

Published: August 21, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42650

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4964

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Enterprise

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

How to mitigate CVE-2013-4964

Install update from vendor's website.

Sources

http://puppetlabs.com/security/cve/cve-2013-4964/

Permissions, Privileges, and Access Controls in Puppet Enterprise - CVE-2013-4964

Detailed vulnerability description

How to mitigate CVE-2013-4964

Sources

Please verify you're human