CVE Vulnerabilities

CVE-2013-2716

Published: Apr 10, 2013 | Modified: Jul 10, 2019
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

Puppet Labs Puppet Enterprise before 2.8.0 does not use a randomized secret in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.

Affected Software

Name Vendor Start Version End Version
Puppet_enterprise Puppet 2.0.0 2.0.0
Puppet_enterprise Puppet 2.5.1 2.5.1
Puppet_enterprise Puppet 2.5.2 2.5.2
Puppet_enterprise Puppet * 2.7.2
Puppet Puppetlabs 1.0.0 1.0.0
Puppet Puppetlabs 1.1.0 1.1.0
Puppet Puppetlabs 1.2.0 1.2.0
Puppet Puppetlabs 2.5.0 2.5.0
Puppet Puppetlabs 2.6.0 2.6.0

References