CVE-2017-10689 – puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions
https://notcve.org/view.php?id=CVE-2017-10689
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability. En versiones anteriores de Puppet Agent, era posible instalar un módulo con permisos de modificación para cualquier usuario. Puppet Agent 5.3.4 y 1.10.10 incluían una solución para esta vulnerabilidad. • https://access.redhat.com/errata/RHSA-2018:2927 https://puppet.com/security/cve/CVE-2017-10689 https://usn.ubuntu.com/3567-1 https://access.redhat.com/security/cve/CVE-2017-10689 https://bugzilla.redhat.com/show_bug.cgi?id=1542850 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVE-2014-3250
https://notcve.org/view.php?id=CVE-2014-3250
The default vhost configuration file in Puppet before 3.6.2 does not include the SSLCARevocationCheck directive, which might allow remote attackers to obtain sensitive information via a revoked certificate when a Puppet master runs with Apache 2.4. El archivo de configuración vhost por defecto en Puppet en versiones anteriores a la 3.6.2 no incluye la directiva SSLCARevocationCheck. Esto podría permitir que atacantes remotos obtengan información sensible mediante un certificado revocado cuando un Puppet master se ejecuta con Apache 2.4. • https://bugzilla.redhat.com/show_bug.cgi?id=1101347 https://puppet.com/security/cve/CVE-2014-3250 • CWE-295: Improper Certificate Validation •
CVE-2017-2295 – puppet: Unsafe YAML deserialization
https://notcve.org/view.php?id=CVE-2017-2295
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML. Las versiones de Puppet anteriores a la 4.10.1 deserializarán datos "off the wire" (del agente al servidor, en este caso) con un formato especificado por el atacante. Esto podría emplearse para forzar la deserialización YAML de forma no segura, lo que conduciría a la ejecución remota de código. • http://www.debian.org/security/2017/dsa-3862 http://www.securityfocus.com/bid/98582 https://puppet.com/security/cve/cve-2017-2295 https://access.redhat.com/security/cve/CVE-2017-2295 https://bugzilla.redhat.com/show_bug.cgi?id=1452651 • CWE-502: Deserialization of Untrusted Data •
CVE-2014-3248
https://notcve.org/view.php?id=CVE-2014-3248
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine. Vulnerabilidad de ruta de búsqueda no confiable en Puppet Enterprise 2.8 anterior a 2.8.7, Puppet anterior a 2.7.26 y 3.x anterior a 3.6.2, Facter 1.6.x y 2.x anterior a 2.0.2, Hiera anterior a 1.3.4, y Mcollective anterior a 2.5.2 o anteriores, permite a usuarios locales ganar privilegios ubicando un troyano en el directorio actual a través de un troyano en un archivo, se demostró usando (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, o (6) safe_yaml/deep.so; o (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, o (10) osfamily.so en puppet/confine. • http://puppetlabs.com/security/cve/cve-2014-3248 http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet http://secunia.com/advisories/59197 http://secunia.com/advisories/59200 http://www.securityfocus.com/bid/68035 • CWE-17: DEPRECATED: Code •
CVE-2013-4966
https://notcve.org/view.php?id=CVE-2013-4966
The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. El script maestro de clasificación de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificación de una consola. • http://puppetlabs.com/security/cve/cve-2013-4966 http://www.securitytracker.com/id/1029873 • CWE-287: Improper Authentication •