6.2

CVE-2014-3248

Exploit

EPSS 0.16%
Veröffentlicht 16.11.2014 17:59:03
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 0 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Puppet ≫ Facter Version2.0.0 Updaterc1

Puppet ≫ Facter Version2.0.0 Updaterc2

Puppet ≫ Facter Version2.0.0 Updaterc3

Puppet ≫ Facter Version2.0.0 Updaterc4

Puppet ≫ Facter Version2.0.1 Update-

Puppet ≫ Facter Version2.0.1 Updaterc1

Puppet ≫ Facter Version2.0.1 Updaterc2

Puppet ≫ Facter Version2.0.1 Updaterc3

Puppet ≫ Facter Version2.0.1 Updaterc4

Puppetlabs ≫ Facter Version >= 1.6.0 <= 1.6.18

Puppet ≫ Marionette Collective Version < 2.5.2

Puppet ≫ Hiera Version < 1.3.4

Puppet ≫ Puppet Version < 2.7.26

Puppet ≫ Puppet Version >= 3.6.0 < 3.6.2

Puppet ≫ Puppet Enterprise Version >= 2.8.0 < 2.8.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.342

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.2	1.9	10	AV:L/AC:H/Au:N/C:C/I:C/A:C

http://secunia.com/advisories/59197

Technical Description

http://puppetlabs.com/security/cve/cve-2014-3248

Vendor Advisory

http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/

Exploit

Technical Description

http://secunia.com/advisories/59200

Technical Description

http://www.securityfocus.com/bid/68035

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2014-3248

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-3248

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-3248

EUVD