Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2014-2021 Tenable Network Security, Inc.PUPPET_ENTERPRISE_311.NASL
HistoryMar 21, 2014 - 12:00 a.m.

Puppet Enterprise 3.x < 3.1.1 Multiple Vulnerabilities

2014-03-2100:00:00
This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.
www.tenable.com
14
JSON

According to its self-reported version number, the Puppet Enterprise 3.x install on the remote host is prior to 3.1.1. As a result, it is reportedly affected by multiple vulnerabilities :

  • An input validation error exists related to the included Ruby version, handling string to floating point conversions that could allow denial of service attacks or arbitrary code execution. (CVE-2013-4164)

  • An error exists related to the included RubyGems version and ‘gem build’, ‘Gem::Package’, and ‘Gem::PackageTask’ API calls that could allow denial of service attacks. (CVE-2013-4363)

  • An error exists in the ‘i18n’ gem for Ruby that could allow cross-site scripting attacks. (CVE-2013-4491)

  • An error exists related to handling temporary files that could allow a local attacker to overwrite files by using a symlink attack. (CVE-2013-4969)

  • An error exists related to the included Ruby on Rails, ‘Action View’, and handling certain headers that could allow denial of service attacks. (CVE-2013-6414)

  • An input validation error exists related to the included Ruby on Rails and the ‘unit’ parameter in the ‘number_to_currency’ helper that could allow cross-site scripting attacks. (CVE-2013-6415)

  • An input validation error exists related to the included Ruby on Rails, JSON parameter parsing and SQL queries that could allow SQL injection attacks.
    (CVE-2013-6417)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(73132);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id(
    "CVE-2013-4164",
    "CVE-2013-4363",
    "CVE-2013-4491",
    "CVE-2013-4969",
    "CVE-2013-6414",
    "CVE-2013-6415",
    "CVE-2013-6417"
  );
  script_bugtraq_id(62442, 63873, 64074, 64076, 64077, 64106, 64552);

  script_name(english:"Puppet Enterprise 3.x < 3.1.1 Multiple Vulnerabilities");
  script_summary(english:"Checks Puppet Enterprise version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"A web application on the remote host is affected by multiple
vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"According to its self-reported version number, the Puppet Enterprise
3.x install on the remote host is prior to 3.1.1.  As a result, it is
reportedly affected by multiple vulnerabilities :

  - An input validation error exists related to the
    included Ruby version, handling string to floating point
    conversions that could allow denial of service attacks
    or arbitrary code execution. (CVE-2013-4164)

  - An error exists related to the included RubyGems
    version and 'gem build', 'Gem::Package', and
    'Gem::PackageTask' API calls that could allow denial
    of service attacks. (CVE-2013-4363)

  - An error exists in the 'i18n' gem for Ruby that could
    allow cross-site scripting attacks. (CVE-2013-4491)

  - An error exists related to handling temporary files
    that could allow a local attacker to overwrite files by
    using a symlink attack. (CVE-2013-4969)

  - An error exists related to the included Ruby on Rails,
    'Action View', and handling certain headers that could
    allow denial of service attacks. (CVE-2013-6414)

  - An input validation error exists related to the
    included Ruby on Rails and the 'unit' parameter in the
    'number_to_currency' helper that could allow cross-site
    scripting attacks. (CVE-2013-6415)

  - An input validation error exists related to the
    included Ruby on Rails, JSON parameter parsing and SQL
    queries that could allow SQL injection attacks.
    (CVE-2013-6417)"
  );
  script_set_attribute(attribute:"see_also", value:"https://groups.google.com/forum/#!topic/puppet-users/f_gybceSV6E");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-4164");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-4363");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-4491");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-4969");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-6414");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-6415");
  script_set_attribute(attribute:"see_also", value:"https://puppet.com/security/cve/cve-2013-6417");
  script_set_attribute(attribute:"solution", value:"Upgrade to Puppet Enterprise 3.1.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
  
script_set_attribute(attribute:"vuln_publication_date", value:"2013/09/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:puppetlabs:puppet");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2014-2021 Tenable Network Security, Inc.");

  script_dependencies("puppet_rest_detect.nasl");
  script_require_keys("puppet/rest_port");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

##
# checks if the given version falls between the given bounds, and
# generates plugin output if it does
#
# @anonparam ver version to check
# @anonparam fix first fixed version
# @anonparam min_ver the lowest/earliest vulnerable version, relative to 'fix' (optional)
#
# @return plugin output if 'ver' is vulnerable relative to 'fix' and/or 'min_ver',
#         NULL otherwise
##
function _check_version(enterprise)
{
  local_var ver, fix, min_ver, major_ver, report;
  ver = _FCT_ANON_ARGS[0];
  fix = _FCT_ANON_ARGS[1];
  min_ver = _FCT_ANON_ARGS[2];

  if (
    # no lower bound
    (isnull(min_ver) && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0) ||

    # lower bound
    (
      !isnull(min_ver) &&
      ver_compare(ver:ver, fix:fix, strict:FALSE) < 0 &&
      ver_compare(ver:ver, fix:min_ver, strict:FALSE) >= 0
    )
  )
  {
    if (enterprise)
    {
      report =
        '\n  Installed version : Puppet Enterprise ' + ver +
        '\n  Fixed version     : Puppet Enterprise ' + fix + '\n';
    }
    else report = NULL;
  }
  else report = NULL;

  return report;
}

port = get_kb_item_or_exit('puppet/rest_port');
ver = get_kb_item_or_exit('puppet/' + port + '/version');
report = NULL;
vuln = FALSE;

if ('Enterprise' >< ver)
{
  # convert something like
  #   2.7.19 (Puppet Enterprise 2.7.0)
  # to
  #   2.7.0
  match = eregmatch(string:ver, pattern:"Enterprise ([0-9.]+)\)");
  if (isnull(match)) audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Puppet Enterprise', build_url(port:port));
  ver = match[1];

  # Resolved in Puppet Enterprise 3.1.1
  if (report = _check_version(ver, '3.1.1', '3.0.0', enterprise:TRUE))
  {
    vuln = TRUE;
  }
}

if (!vuln) audit(AUDIT_LISTEN_NOT_VULN, 'Puppet', port, ver);

set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE);

if (report_verbosity > 0) security_warning(port:port, extra:report);
else security_warning(port);
VendorProductVersionCPE
puppetlabspuppetcpe:/a:puppetlabs:puppet

Related

securityvulns 7
redhat 7
openvas 45
fedora 14
nessus 49
debian 7
freebsd 3
osv 6
github 5
ubuntucve 7
gitlab 4
prion 7
debiancve 6
seebug 1
cve 7
amazon 5
ubuntu 2
mageia 3
oraclelinux 1
veracode 3
f5 2
suse 2
centos 1
slackware 1
rubygems 2
hackerone 1
ibm 1
securityvulns
securityvulns
Ruby Actionpack / Actionmailer multiple security vulnerabilities
2014-05-04 00:00:00
[SECURITY] [DSA 2888-1] ruby-actionpack-3.2 security update
2014-05-04 00:00:00
puppet symbolic links vulnerability
2014-01-08 00:00:00
redhat
redhat
(RHSA-2013:1794) Important: ruby193-rubygem-actionpack security update
2013-12-05 00:00:00
(RHSA-2014:0008) Important: ruby193-rubygem-actionpack security update
2014-01-06 00:00:00
(RHSA-2014:1863) Important: Subscription Asset Manager 1.4 security update
2014-11-17 00:00:00
openvas
openvas
Debian Security Advisory DSA 2888-1 (ruby-actionpack-3.2 - security update)
2014-03-27 00:00:00
Debian Security Advisory DSA 2888-1 (ruby-actionpack-3.2 - security update)
2014-03-27 00:00:00
Fedora Update for rubygem-actionpack FEDORA-2014-0970
2014-01-27 00:00:00
fedora
fedora
[SECURITY] Fedora 19 Update: rubygem-actionpack-3.2.13-4.fc19
2014-01-24 07:50:26
[SECURITY] Fedora 20 Update: rubygem-actionpack-4.0.0-2.fc20
2014-03-07 06:36:05
[SECURITY] Fedora 19 Update: rubygem-actionpack-3.2.13-5.fc19
2014-03-11 04:11:08
nessus
nessus
openSUSE Security Update : rubygem-actionpack-3_2 (openSUSE-SU-2013:1907-1)
2014-06-13 00:00:00
FreeBSD : rails -- multiple vulnerabilities (6a806960-3016-44ed-8575-8614a7cb57c7)
2013-12-09 00:00:00
openSUSE Security Update : rubygem-actionpack-3_2 (openSUSE-SU-2013:1906-1)
2014-06-13 00:00:00
debian
debian
[SECURITY] [DSA 2888-1] ruby-actionpack-3.2 security update
2014-03-27 15:04:16
[SECURITY] [DSA 2831-2] puppet regression update
2014-01-17 16:07:16
[SECURITY] [DSA 2831-2] puppet regression update
2014-01-17 16:07:16
freebsd
freebsd
rails -- multiple vulnerabilities
2013-12-03 00:00:00
ruby-gems -- Algorithmic Complexity Vulnerability
2013-09-24 00:00:00
ruby -- Heap Overflow in Floating Point Parsing
2013-11-22 00:00:00
osv
osv
actionpack Improper Input Validation vulnerability
2017-10-24 18:33:37
actionpack vulnerable to Cross-site Scripting
2017-10-24 18:33:36
actionpack vulnerable to Cross-site Scripting
2017-10-24 18:33:37
github
github
actionpack Improper Input Validation vulnerability
2017-10-24 18:33:37
actionpack vulnerable to Cross-site Scripting
2017-10-24 18:33:36
actionpack vulnerable to Cross-site Scripting
2017-10-24 18:33:37
ubuntucve
ubuntucve
CVE-2013-6415
2013-12-07 00:00:00
CVE-2013-4969
2013-12-26 00:00:00
CVE-2013-6414
2013-12-07 00:00:00
gitlab
gitlab
Improper Input Validation
2013-12-07 00:00:00
XSS Vulnerability in number_to_currency
2013-12-06 00:00:00
Reflective XSS Vulnerability
2013-12-06 00:00:00
prion
prion
Code injection
2013-12-07 00:55:00
Code injection
2014-01-07 18:55:00
Cross site scripting
2013-12-07 00:55:00
debiancve
debiancve
CVE-2013-6415
2013-12-07 00:55:00
CVE-2013-4969
2014-01-07 18:55:00
CVE-2013-6414
2013-12-07 00:55:00
seebug
seebug
Puppet/Puppet Enterprise不安全临时文件符号链接攻击漏洞
2013-12-30 00:00:00
cve
cve
CVE-2013-6414
2013-12-07 00:55:00
CVE-2013-6415
2013-12-07 00:55:00
CVE-2013-4969
2014-01-07 18:55:00
amazon
amazon
Low: puppet
2014-02-03 15:28:00
Critical: ruby19
2013-11-22 21:42:00
Critical: ruby
2013-11-22 21:42:00
ubuntu
ubuntu
Puppet vulnerability
2014-01-06 00:00:00
Ruby vulnerabilities
2013-11-27 00:00:00
mageia
mageia
Updated puppet & puppet3 packages fix CVE-2013-4969 and a regression
2014-02-20 01:15:34
Updated ruby package fixes security vulnerability
2014-01-06 05:02:29
Updated ruby-RubyGems package fixes security vulnerabilies
2013-10-10 02:29:35
oraclelinux
oraclelinux
ruby security update
2013-11-26 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2019-01-15 08:52:53
Remote Code Execution (RCE)
2019-01-15 08:52:12
Database Authorization Bypass
2019-01-15 09:01:52
f5
f5
K15152 : Ruby vulnerability CVE-2013-4164
2014-04-10 00:00:00
SOL15152 - Ruby vulnerability CVE-2013-4164
2014-04-10 00:00:00
suse
suse
Security update for ruby19 (critical)
2013-12-17 00:04:23
Security update for ruby (critical)
2013-12-05 18:04:15
centos
centos
ruby security update
2013-11-26 13:37:12
slackware
slackware
[slackware-security] ruby
2013-12-17 03:50:10
rubygems
rubygems
CVE-2013-4164 ruby: heap overflow in floating point parsing
2013-11-22 00:00:00
CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix
2013-09-23 20:00:00
hackerone
hackerone
Ruby: Ruby: Heap Overflow in Floating Point Parsing
2013-11-22 00:00:00
ibm
ibm
Security Bulletin: IBM Security Network Protection System can be affected by vulnerabilities in Ruby on Rails and the Ruby language (CVE-2013-4492, CVE-2013-4164)
2018-06-16 21:16:38
JSON
Related for PUPPET_ENTERPRISE_311.NASL
securityvulns7redhat7openvas45fedora14nessus49debian7freebsd3osv6github5ubuntucve7gitlab4prion7debiancve6seebug1cve7amazon5ubuntu2mageia3oraclelinux1veracode3f52suse2centos1slackware1rubygems2hackerone1ibm1