what you don't know can hurt you
Showing 1 - 6 of 6 RSS Feed

CVE-2013-4761

Status Candidate

Overview

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.

Related Files

Red Hat Security Advisory 2013-1284-01
Posted Sep 24, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1284-01 - Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master.

tags | advisory, arbitrary, local, ruby
systems | linux, redhat
advisories | CVE-2013-3567, CVE-2013-4761, CVE-2013-4956
MD5 | 465fc1948a0450b2d436ffea9e20625f
Red Hat Security Advisory 2013-1283-01
Posted Sep 24, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-1283-01 - Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master.

tags | advisory, arbitrary, local, ruby
systems | linux, redhat
advisories | CVE-2013-3567, CVE-2013-4761, CVE-2013-4956
MD5 | eb9c6325528af554e462d08715d10cb8
Debian Security Advisory 2761-1
Posted Sep 20, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2761-1 - Several vulnerabilities were discovered in puppet, a centralized configuration management system.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2013-4761, CVE-2013-4956
MD5 | ebbf4f9bcba9ed995e3b3242da421ed0
Mandriva Linux Security Advisory 2013-222
Posted Aug 27, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-222 - It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker.

tags | advisory, arbitrary, local, ruby
systems | linux, mandriva
advisories | CVE-2013-4761, CVE-2013-4956
MD5 | 26d456c885f0459f3cc8ae86f86abe5c
Gentoo Linux Security Advisory 2013-08-04
Posted Aug 23, 2013
Site security.gentoo.org

Gentoo Linux Security Advisory 2013-08-04 - Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. Versions less than 2.7.23 are affected.

tags | advisory, arbitrary, vulnerability
advisories | CVE-2012-6120, CVE-2013-1640, CVE-2013-1652, CVE-2013-1653, CVE-2013-1654, CVE-2013-1655, CVE-2013-2274, CVE-2013-2275, CVE-2013-3567, CVE-2013-4761, CVE-2013-4956
MD5 | b7bd9bc6b79ccc873e88b20f9c3dfd01
Ubuntu Security Notice USN-1928-1
Posted Aug 15, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1928-1 - It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker. Various other issues were also addressed.

tags | advisory, arbitrary, local, ruby
systems | linux, ubuntu
advisories | CVE-2013-4761, CVE-2013-4956, CVE-2013-4761, CVE-2013-4956
MD5 | 969f63c53455add9cbcee4da7c7c1e5c
Page 1 of 1
Back1Next

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    9 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close