CVE-2017-10689Improper Privilege Management in Puppet

CWE-269Improper Privilege ManagementCWE-284Improper Access Control12 documents8 sources
Severity
5.5MEDIUMNVD
EPSS
0.1%
top 74.27%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PuppetPuppet EnterprisePuppet Agent+2 more
Timeline
PublishedFeb 9
Latest updateMay 13

Description

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

CVEListV5puppet/puppet_agentprior to 5.3.4 or 1.10.10
NVDpuppet/puppet1.10.01.10.10+1
RubyGemspuppet/puppet5.0.05.3.4+1
NVDpuppet/puppet_enterprise2017.1.02017.3.4+1
Debianpuppet/puppet< 5.4.0-1

Also affects: Ubuntu Linux 14.04

🔴Vulnerability Details

5
GHSA
Tarball permission preservation in puppet2022-05-13
OSV
Tarball permission preservation in puppet2022-05-13
OSV
puppet vulnerabilities2021-03-15
CVEList
CVE-2017-10689: In previous versions of Puppet Agent it was possible to install a module with world writable permissions2018-02-09
OSV
CVE-2017-10689: In previous versions of Puppet Agent it was possible to install a module with world writable permissions2018-02-09

📋Vendor Advisories

4
Ubuntu
Puppet vulnerabilities2021-03-15
Ubuntu
Puppet vulnerability2018-02-12
Red Hat
puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions2017-08-28
Debian
CVE-2017-10689: puppet - In previous versions of Puppet Agent it was possible to install a module with wo...2017

💬Community

2
Bugzilla
CVE-2017-10689 puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions2018-02-07
Bugzilla
CVE-2017-10689 puppet: Unpacking of tarballs in tar/mini.rb can create files with insecure permissions [fedora-all]2018-02-07
CVE-2017-10689 — Improper Privilege Management | cvebase