-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2014-3248.yml
27 lines (27 loc) · 1.26 KB
/
CVE-2014-3248.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
---
gem: hiera
cve: 2014-3248
ghsa: 92v7-pq4h-58j5
url: https://github.com/advisories/GHSA-92v7-pq4h-58j5
title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet
date: 2017-10-24
description: |
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7,
Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera
before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier,
allows local users to gain privileges via a Trojan horse file in the current working
directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2)
Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so;
or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so
in puppet/confine.
patched_versions:
- ">= 1.3.4"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2014-3248
- https://github.com/advisories/GHSA-92v7-pq4h-58j5
- http://puppetlabs.com/security/cve/cve-2014-3248
- http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
- http://secunia.com/advisories/59197
- http://secunia.com/advisories/59200
- http://www.securityfocus.com/bid/68035