Overview

CVE-2014-3248 (Arbitrary Code Execution with Required Social Engineering)

Posted June 10, 2014
Assessed Risk Level: Medium

On platforms with Ruby 1.9.1 or earlier, an attacker could have Puppet execute malicious code by convincing a privileged user to change directories to one containing the malicious code and then run Puppet.

CVSSv2 Score: 5.2

Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C

Status:

Affected Software Versions (platforms with Ruby 1.9.1 and earlier only):

Puppet Enterprise 2.8 (all)
Puppet (all)
Facter (all)
Hiera (all)
Mcollective (all)

Resolved in:

Puppet Enterprise 2.8.7
Puppet 3.6.2
Puppet 2.7.26
Facter 2.0.2
Facter 1.7.6
Hiera 1.3.4
Mcollective 2.5.2

Credit:

Acknowledgement for the responsible disclosure of this vulnerability to Puppet Labs

Dennis Rowe (shr3kst3r)

Overview

CVE-2014-3248 (Arbitrary Code Execution with Required Social Engineering)

Posted June 10, 2014

Assessed Risk Level: Medium

Status:

Credit: