All the vulnerabilites related to Puppet - Puppet Agent
cve-2017-10690
Vulnerability from cvelistv5
Published
2018-02-09 20:00
Modified
2024-09-16 17:49
Severity ?
Summary
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
References
https://access.redhat.com/errata/RHSA-2018:2927vendor-advisory, x_refsource_REDHAT
https://puppet.com/security/cve/CVE-2017-10690x_refsource_CONFIRM
Impacted products
Vendor Product Version
Puppet Puppet Agent Version: 5.x prior to 5.3.4
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:41:55.656Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2017-10690"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Enterprise",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "2017.3.x prior to 2017.3.4"
            }
          ]
        },
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "5.x prior to 5.3.4"
            }
          ]
        }
      ],
      "datePublic": "2018-02-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T09:57:01",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2017-10690"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2018-02-05T00:00:00",
          "ID": "CVE-2017-10690",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "2017.3.x prior to 2017.3.4"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.x prior to 5.3.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            },
            {
              "name": "https://puppet.com/security/cve/CVE-2017-10690",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2017-10690"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2017-10690",
    "datePublished": "2018-02-09T20:00:00Z",
    "dateReserved": "2017-06-29T00:00:00",
    "dateUpdated": "2024-09-16T17:49:12.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2017-10689
Vulnerability from cvelistv5
Published
2018-02-09 20:00
Modified
2024-09-17 00:20
Severity ?
Summary
In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.
References
https://usn.ubuntu.com/3567-1/vendor-advisory, x_refsource_UBUNTU
https://puppet.com/security/cve/CVE-2017-10689x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2927vendor-advisory, x_refsource_REDHAT
Impacted products
Vendor Product Version
Puppet Puppet Agent Version: prior to 5.3.4 or 1.10.10
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:41:55.627Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3567-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3567-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2017-10689"
          },
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Enterprise",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 2016.4.10 or 2017.3.4"
            }
          ]
        },
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 5.3.4 or 1.10.10"
            }
          ]
        }
      ],
      "datePublic": "2018-02-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Permission Handling",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T09:57:01",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "name": "USN-3567-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3567-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2017-10689"
        },
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2018-02-05T00:00:00",
          "ID": "CVE-2017-10689",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 2016.4.10 or 2017.3.4"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 5.3.4 or 1.10.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incorrect Permission Handling"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3567-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3567-1/"
            },
            {
              "name": "https://puppet.com/security/cve/CVE-2017-10689",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2017-10689"
            },
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2017-10689",
    "datePublished": "2018-02-09T20:00:00Z",
    "dateReserved": "2017-06-29T00:00:00",
    "dateUpdated": "2024-09-17T00:20:43.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2020-7942
Vulnerability from cvelistv5
Published
2020-02-19 20:52
Modified
2024-08-04 09:48
Severity ?
Summary
Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19
References
https://puppet.com/security/cve/CVE-2020-7942/x_refsource_CONFIRM
Impacted products
Vendor Product Version
Puppet Puppet Agent Version: 5.5.x prior to 5.5.19
Version: Fixed in 5.5.19
Version: 6.x prior to 6.13.0
Version: Fixed in 6.13.0
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:48:24.553Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2020-7942/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "5.5.x prior to 5.5.19"
            },
            {
              "status": "affected",
              "version": "Fixed in 5.5.19"
            },
            {
              "status": "affected",
              "version": "6.x prior to 6.13.0"
            },
            {
              "status": "affected",
              "version": "Fixed in 6.13.0"
            }
          ]
        },
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "5.5.x prior to 5.5.19"
            },
            {
              "status": "affected",
              "version": "Fixed in 5.5.19"
            },
            {
              "status": "affected",
              "version": "6.x prior to 6.13.0"
            },
            {
              "status": "affected",
              "version": "Fixed in 6.13.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node\u0027s catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary retrieval",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-02T19:00:07",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2020-7942/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "ID": "CVE-2020-7942",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.5.x prior to 5.5.19"
                          },
                          {
                            "version_value": "Fixed in 5.5.19"
                          },
                          {
                            "version_value": "6.x prior to 6.13.0"
                          },
                          {
                            "version_value": "Fixed in 6.13.0"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.5.x prior to 5.5.19"
                          },
                          {
                            "version_value": "Fixed in 5.5.19"
                          },
                          {
                            "version_value": "6.x prior to 6.13.0"
                          },
                          {
                            "version_value": "Fixed in 6.13.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Previously, Puppet operated on a model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node\u0027s catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 and 5.5.19 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. Affected software versions: Puppet 6.x prior to 6.13.0 Puppet Agent 6.x prior to 6.13.0 Puppet 5.5.x prior to 5.5.19 Puppet Agent 5.5.x prior to 5.5.19 Resolved in: Puppet 6.13.0 Puppet Agent 6.13.0 Puppet 5.5.19 Puppet Agent 5.5.19"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary retrieval"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppet.com/security/cve/CVE-2020-7942/",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2020-7942/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2020-7942",
    "datePublished": "2020-02-19T20:52:03",
    "dateReserved": "2020-01-23T00:00:00",
    "dateUpdated": "2024-08-04T09:48:24.553Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-6515
Vulnerability from cvelistv5
Published
2018-06-11 20:00
Modified
2024-09-16 23:10
Severity ?
Summary
Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation.
References
https://puppet.com/security/cve/CVE-2018-6515x_refsource_CONFIRM
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:10:10.111Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2018-6515"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2"
            }
          ]
        }
      ],
      "datePublic": "2018-06-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-11T19:57:01",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2018-6515"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2018-06-11T00:00:00",
          "ID": "CVE-2018-6515",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppet.com/security/cve/CVE-2018-6515",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2018-6515"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2018-6515",
    "datePublished": "2018-06-11T20:00:00Z",
    "dateReserved": "2018-02-01T00:00:00",
    "dateUpdated": "2024-09-16T23:10:26.852Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2016-5713
Vulnerability from cvelistv5
Published
2017-12-06 15:00
Modified
2024-09-17 00:06
Severity ?
Summary
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
References
https://puppet.com/security/cve/cve-2016-5713x_refsource_CONFIRM
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T01:07:59.971Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/cve-2016-5713"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "Introduced in 1.3.0, fixed in 1.6.0"
            }
          ]
        }
      ],
      "datePublic": "2016-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-12-06T14:57:02",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/cve-2016-5713"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2016-08-11T00:00:00",
          "ID": "CVE-2016-5713",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Introduced in 1.3.0, fixed in 1.6.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Privilege Escalation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppet.com/security/cve/cve-2016-5713",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/cve-2016-5713"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2016-5713",
    "datePublished": "2017-12-06T15:00:00Z",
    "dateReserved": "2016-06-16T00:00:00",
    "dateUpdated": "2024-09-17T00:06:12.325Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2018-6514
Vulnerability from cvelistv5
Published
2018-06-11 20:00
Modified
2024-09-16 17:49
Severity ?
Summary
In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation.
References
https://puppet.com/security/cve/CVE-2018-6514x_refsource_CONFIRM
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:10:10.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2018-6514"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2"
            }
          ]
        }
      ],
      "datePublic": "2018-06-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Arbitrary Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-06-11T19:57:01",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2018-6514"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2018-06-11T00:00:00",
          "ID": "CVE-2018-6514",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Arbitrary Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppet.com/security/cve/CVE-2018-6514",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2018-6514"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2018-6514",
    "datePublished": "2018-06-11T20:00:00Z",
    "dateReserved": "2018-02-01T00:00:00",
    "dateUpdated": "2024-09-16T17:49:24.249Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}