CVE-2014-3248

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2014-3248

6.2 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 1.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

U

ntrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

References
Link Resource
http://puppetlabs.com/security/cve/cve-2014-3248 Vendor Advisory
http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ Exploit Technical Description
http://secunia.com/advisories/59197 Technical Description
http://secunia.com/advisories/59200 Technical Description
http://www.securityfocus.com/bid/68035 Third Party Advisory VDB Entry
http://puppetlabs.com/security/cve/cve-2014-3248 Vendor Advisory
http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ Exploit Technical Description
http://secunia.com/advisories/59197 Technical Description
http://secunia.com/advisories/59200 Technical Description
http://www.securityfocus.com/bid/68035 Third Party Advisory VDB Entry
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:puppet:facter:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:-:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc1:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc2:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc3:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc4:*:*:*:*:*:*
cpe:2.3:a:puppetlabs:facter:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:puppet:marionette_collective:*:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:puppet:hiera:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
History

21 Nov 2024, 02:07

Type Values Removed Values Added
References () http://puppetlabs.com/security/cve/cve-2014-3248 - Vendor Advisory () http://puppetlabs.com/security/cve/cve-2014-3248 - Vendor Advisory
References () http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ - Exploit, Technical Description () http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ - Exploit, Technical Description
References () http://secunia.com/advisories/59197 - Technical Description () http://secunia.com/advisories/59197 - Technical Description
References () http://secunia.com/advisories/59200 - Technical Description () http://secunia.com/advisories/59200 - Technical Description
References () http://www.securityfocus.com/bid/68035 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/68035 - Third Party Advisory, VDB Entry
Information

Published : 2014-11-16 17:59

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3248

Mitre link : CVE-2014-3248

CVE.ORG link : CVE-2014-3248

JSON object : View

Products Affected

puppet

puppetlabs

CWE
CWE-17

DEPRECATED: Code