Red Hat Security Advisory 2013-1284-01 - Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master.
4bb7805d5def15a8dc28ddfaae2ef552d6d9441335f4d97325b7f1fdf1f7cc80Red Hat Security Advisory 2013-1283-01 - Puppet allows provisioning, patching, and configuration of clients to be managed and automated. A flaw was found in the way Puppet handled YAML content during Representational State Transfer API calls. An attacker could construct a request containing a crafted YAML payload that would cause the Puppet master to execute arbitrary code. It was found that resource_type requests could be used to cause the Puppet master to load and run Ruby files from anywhere on the file system. In non-default configurations, a local user on the Puppet master server could use this flaw to have arbitrary Ruby code executed with the privileges of the Puppet master.
63ebc0aa0fac12c356a13589f9eb998f453cf710856dedc04932ebb1d46ecd16Debian Linux Security Advisory 2761-1 - Several vulnerabilities were discovered in puppet, a centralized configuration management system.
e21a0bf299d290b68b0968e965c5bec067190587b93633d31aefda8ca029212aMandriva Linux Security Advisory 2013-222 - It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker.
b9b2e0d9a30061a4929ce87461ea0acf12f98e9413ea4e6c9ff8fcd444c02674Gentoo Linux Security Advisory 2013-08-04 - Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. Versions less than 2.7.23 are affected.
0540da72c54f57cbe5a156cdb95056d98fa489beca31a869e539fa0bb49ca073Ubuntu Security Notice 1928-1 - It was discovered that Puppet incorrectly handled the resource_type service. A local attacker on the master could use this issue to execute arbitrary Ruby files. It was discovered that Puppet incorrectly handled permissions on the modules it installed. Modules could be installed with the permissions that existed when they were built, possibly exposing them to a local attacker. Various other issues were also addressed.
cdcde70f2713266a5b8a4ed92df915a902df42405d256a043c28743f4e1f6c7b
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed