Lucene search

K
gentooGentoo FoundationGLSA-201203-03
HistoryMar 06, 2012 - 12:00 a.m.

Puppet: Multiple vulnerabilities

2012-03-0600:00:00
Gentoo Foundation
security.gentoo.org
17

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.006

Percentile

78.1%

Background

Puppet is a system configuration management tool written in Ruby.

Description

Multiple vulnerabilities have been discovered in Puppet. Please review the CVE identifiers referenced below for details.

Impact

A local attacker could gain elevated privileges, or access and modify arbitrary files. Furthermore, a remote attacker may be able to spoof a Puppet Master or write X.509 Certificate Signing Requests to arbitrary locations.

Workaround

There is no known workaround at this time.

Resolution

All Puppet users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-admin/puppet-2.7.11"
OSVersionArchitecturePackageVersionFilename
Gentooanyallapp-admin/puppet< 2.7.11UNKNOWN

CVSS2

6.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.006

Percentile

78.1%