FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

puppet -- multiple vulnerabilities

Affected packages
2.7 <= puppet < 2.7.23
3.0 <= puppet < 3.2.4


VuXML ID 2b2f6092-0694-11e3-9e8e-000c29f6ae42
Discovery 2013-07-05
Entry 2013-08-16

Puppet Labs reports:

By using the `resource_type` service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node's file system. While this behavior is not enabled by default, `auth.conf` settings could be modified to allow it. The exploit requires local file system access to the Puppet Master.

Puppet Module Tool (PMT) did not correctly control permissions of modules it installed, instead transferring permissions that existed when the module was built.


CVE Name CVE-2013-4761
CVE Name CVE-2013-4956