CVE-2013-4969 — Link Following in Enterprise

CWE-59 — Link Following CWE-377 — Insecure Temporary File10 documents8 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 88.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Puppetlabs Puppet +2 more

Timeline

PublishedJan 7

Latest updateMay 13

Description

Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶NVDpuppet/puppet_enterprise2.0.0 — 2.8.4+1

▶NVDpuppetlabs/puppet3.4.0 — 3.4.1+1

▶Debianpuppet/puppet< 3.4.1-1

Also affects: Debian Linux 6.0, 7.0, 8.0, Ubuntu Linux 12.04, 12.10, 13.04, 13.10

🔴Vulnerability Details

GHSA

GHSA-73jw-pjcv-9rgm: Puppet before 3↗2022-05-13

▶

OSV

CVE-2013-4969: Puppet before 3↗2014-01-07

▶

CVEList

CVE-2013-4969: Puppet before 3↗2014-01-07

▶

📋Vendor Advisories

Ubuntu

Puppet vulnerability↗2014-01-06

▶

Red Hat

Puppet: Unsafe use of Temp files in File type↗2013-12-26

▶

Debian

CVE-2013-4969: puppet - Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4...↗2013

▶

💬Community

Bugzilla

CVE-2013-4969 Puppet: Unsafe use of Temp files in File type [fedora-all]↗2014-01-02

▶

Bugzilla

CVE-2013-4969 Puppet: Unsafe use of Temp files in File type↗2013-12-19

▶

Bugzilla

CVE-2011-4969 jquery: Cross-site scripting (XSS) via $(location.hash) and $(#<tag>)↗2013-02-01

▶