Page 3 of 14 results (0.005 seconds)

CVSS: 5.1EPSS: 1%CPEs: 11EXPL: 0

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master. Vulnerabilidad sin especificar en Puppet 2.7.x anterior a 2.7.23 y 3.2.x anterior a 3.2.4, y Puppet Enterprise 2.8.x anterior a 2.8.3 y 3.0.x anterior a 3.0.1, permite a atacantes remotos ejecutar programas Ruby arbitrariamente desde el master a través del servicio resource_type. NOTA: esta vulnerabilidad únicamente puede ser explotada utilizando un "acceso local al sistema de ficheros no especificado" al Puppet Master. • http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html http://puppetlabs.com/security/cve/cve-2013-4761 http://rhn.redhat.com/errata/RHSA-2013-1283.html http://rhn.redhat.com/errata/RHSA-2013-1284.html http://www.debian.org/security/2013/dsa-2761 https://access.redhat.com/security/cve/CVE-2013-4761 https://bugzilla.redhat.com/show_bug.cgi?id=996856 •

CVSS: 3.7EPSS: 0%CPEs: 28EXPL: 0

Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions. Puppet Module Tool (PMT), usado en Puppet 2.7.x anterior a 2.7.23 y 3.2.x anterior a 3.2.4, y Puppet Enterprise 2.8.x anterior a 2.8.3 y 3.0.x anterior a 3.0.1, instala módulos con permisos débiles si estos son utilizados cuando los módulos se construyen inicialmente, lo que podría permitir a usuarios locales leer o modificar dichos módulos dependiendo de los permisos originales. • http://puppetlabs.com/security/cve/cve-2013-4956 http://rhn.redhat.com/errata/RHSA-2013-1283.html http://rhn.redhat.com/errata/RHSA-2013-1284.html http://www.debian.org/security/2013/dsa-2761 https://access.redhat.com/security/cve/CVE-2013-4956 https://bugzilla.redhat.com/show_bug.cgi?id=996855 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 22%CPEs: 41EXPL: 0

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. Puppet 2.7.x anterior a 2.7.22 y 3.2.x anterior a 3.2.2, y Puppet Enterprise anterior a 2.8.2, deserializa YAML sin confianza, lo que permite a atacantes remotos la instanciación de clases de Ruby y ejecutar código arbitrario a través de una llamada RESTAPI manipulada. • http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html http://rhn.redhat.com/errata/RHSA-2013-1283.html http://rhn.redhat.com/errata/RHSA-2013-1284.html http://secunia.com/advisories/54429 http://www.debian.org/security/2013/dsa-2715 http://www.ubuntu.com/usn/USN-1886-1 https://puppetlabs.com/security/cve/cve-2013-3567 https://access.redhat.com/security/cve/CVE-2013-3567 https& • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •

CVSS: 9.0EPSS: 2%CPEs: 9EXPL: 0

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrario a través de una solicitud de catálogo especialmente diseñado. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-1640 https://access.redhat.com/security/cve/CVE-2013-1640 https://bugzilla.redhat.com/show_bug.cgi?id=919783 • CWE-502: Deserialization of Untrusted Data •