Overview

CVE-2014-3248 (Arbitrary Code Execution with Required Social Engineering)

  • Posted June 10, 2014

  • Assessed Risk Level: Medium

On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet.

CVSSv2 Score: 5.2

Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

Status:

Affected Software Versions (platforms with Ruby 1.9.1 and earlier only):

  • Puppet Enterprise 2.8 (all)
  • Puppet (all)
  • Facter (all)
  • Hiera (all)
  • Mcollective (all)

Resolved in:

  • Puppet Enterprise 2.8.7
  • Puppet 3.6.2
  • Puppet 2.7.26
  • Facter 2.0.2
  • Facter 1.7.6
  • Hiera 1.3.4
  • Mcollective 2.5.2

Credit:

Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs

  • Dennis Rowe (shr3kst3r)