CVE-2013-1398 — Enterprise vulnerability

CWE-3104 documents4 sources

Severity

8.5HIGHNVD

EPSS

0.6%

top 30.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedMar 14

Latest updateMay 14

Description

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 6.8 | Impact: 10.0

Affected Packages2 packages

▶NVDpuppet/puppet_enterprise2.7.0+3

▶NVDpuppetlabs/puppet2.5.0, 2.6.0+1

🔴Vulnerability Details

GHSA

GHSA-frcj-xcfh-9j6w: The pe_mcollective module in Puppet Enterprise (PE) before 2↗2022-05-14

▶

CVEList

CVE-2013-1398: The pe_mcollective module in Puppet Enterprise (PE) before 2↗2014-03-14

▶

📋Vendor Advisories

Debian

CVE-2013-1398: puppet - The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not proper...↗2013

▶