CVSS: 2.1EPSS: 0%CPEs: 11EXPL: 0CVE-2013-4969
https://notcve.org/view.php?id=CVE-2013-4969
Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Puppet anteriores a 3.3.3. y 3.4 anteriores a 3.4.1 y Puppet Enterprise (PE) anteriores a 2.8.4 y 3.1 anteriores a 3.1.1 permite a usuarios locales sobreescribir ficheros arbitrarios a través de un ataque de enlaces simbólicos en ficheros no especificados. • http://puppetlabs.com/security/cve/cve-2013-4969 http://secunia.com/advisories/56253 http://secunia.com/advisories/56254 http://www.debian.org/security/2013/dsa-2831 http://www.ubuntu.com/usn/USN-2077-1 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4957
https://notcve.org/view.php?id=CVE-2013-4957
The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type. El panel de informe en Puppet Enterprise anterior a la versión 3.0.1 permite a atacantes remotos ejecutar código arbitrario YAML a través de un tipo de informe específico. • http://osvdb.org/98639 http://puppetlabs.com/security/cve/cve-2013-4957 http://secunia.com/advisories/55362 https://exchange.xforce.ibmcloud.com/vulnerabilities/88089 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2013-4965
https://notcve.org/view.php?id=CVE-2013-4965
Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack. Puppet Enterprise anteriores a 3.1.0 no restringe el número de intentos de autenticación apropiadamente a traves de consola, lo que permite a un atacante remoto sortear las restricciones de acceso a traves de ataques de fuerza bruta. • http://osvdb.org/98640 http://puppetlabs.com/security/cve/cve-2013-4965 • CWE-287: Improper Authentication •
CVSS: 2.1EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4959
https://notcve.org/view.php?id=CVE-2013-4959
Puppet Enterprise before 3.0.1 uses HTTP responses that contain sensitive information without the "no-cache" setting, which might allow local users to obtain sensitive information such as (1) host name, (2) MAC address, and (3) SSH keys via the web browser cache. Puppet Enterprise anterior a 3.0.1 utiliza repuestas HTTP que contienen información sensible sin establecer la opción "no-cache", lo que podría permitir a usuarios locales obtener información sensible como (1) host name, (2) dirección MAC, y (3) claves SSH a través de la caché del navegador. • http://puppetlabs.com/security/cve/cve-2013-4959 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-4762
https://notcve.org/view.php?id=CVE-2013-4762
Puppet Enterprise before 3.0.1 does not sufficiently invalidate a session when a user logs out, which might allow remote attackers to hijack sessions by obtaining an old session ID. Puppet Enterprise anterior a 3.0.1, no invalida adecuadamente na sesión cuando el usuario la cierra, lo que podría permitir a atacantes remotos secuestrarla a través de un ID de sesión obsoleto. • http://puppetlabs.com/security/cve/cve-2013-4762 • CWE-20: Improper Input Validation •