CVE-2013-4966 — Improper Authentication in Enterprise

CWE-287 — Improper Authentication5 documents5 sources

Severity

6.4MEDIUMNVD

EPSS

0.2%

top 54.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise

Timeline

PublishedMar 9

Latest updateMay 14

Description

The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDpuppet/puppet_enterprise3.1.1+3

🔴Vulnerability Details

GHSA

GHSA-r6x2-cpwm-cr43: The master external node classification script in Puppet Enterprise before 3↗2022-05-14

▶

CVEList

CVE-2013-4966: The master external node classification script in Puppet Enterprise before 3↗2014-03-07

▶

📋Vendor Advisories

Debian

CVE-2013-4966: puppet - The master external node classification script in Puppet Enterprise before 3.2.0...↗2013

▶

💬Community

Bugzilla

CVE-2011-4966 freeradius: does not respect expired passwords when using the unix module↗2012-11-21

▶