CVE-2013-4966

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

CVSS v2.0 6.4 MEDIUM

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://puppetlabs.com/security/cve/cve-2013-4966	Vendor Advisory
http://www.securitytracker.com/id/1029873

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puppet:puppet_enterprise::::::::
	cpe:2.3:a:puppet:puppet_enterprise:3.0.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:3.0.1:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:3.1.0:::::::*

History

No history.

Information

Published : 2014-03-09 13:16

Updated : 2024-02-04 18:35

NVD link : CVE-2013-4966

Mitre link : CVE-2013-4966

CVE.ORG link : CVE-2013-4966

JSON object : View

Products Affected

puppet

puppet_enterprise

CWE

CWE-287

Improper Authentication

{"id": "CVE-2013-4966", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-03-09T13:16:56.413", "references": [{"url": "http://puppetlabs.com/security/cve/cve-2013-4966", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.securitytracker.com/id/1029873", "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console."}, {"lang": "es", "value": "El script maestro de clasificaci\u00f3n de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificaci\u00f3n de una consola."}], "lastModified": "2019-07-10T18:10:43.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8AEC7422-1DDD-44DB-A9B3-129D673B34A3", "versionEndIncluding": "3.1.1"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:3.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE0A2F50-A73B-4598-BE73-1DDA1084352A"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:3.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F641A2B7-E90E-45DC-BCE0-E1776C1CF691"}, {"criteria": "cpe:2.3:a:puppet:puppet_enterprise:3.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3CFF3B0A-2C66-445A-BB5C-136DCAA584FE"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}