CVE-2018-6514 — Untrusted Search Path in Puppet

CWE-426 — Untrusted Search Path6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 55.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Agent

Timeline

PublishedJun 11

Latest updateMay 14

Description

In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on Windows is vulnerable to a DLL preloading attack, which could lead to a privilege escalation.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5puppet/puppet_agentPuppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2

▶NVDpuppet/puppet1.10.0 — 1.10.13+2

🔴Vulnerability Details

GHSA

GHSA-w26j-rr99-hqph: In Puppet Agent 1↗2022-05-14

▶

CVEList

CVE-2018-6514: In Puppet Agent 1↗2018-06-11

▶

📋Vendor Advisories

Red Hat

puppet-agent: Facter tries to load DLLs from the current working directory↗2018-06-07

▶

Debian

CVE-2018-6514: facter - In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Pupp...↗2018

▶

💬Community

Bugzilla

CVE-2018-6514 puppet-agent: Facter tries to load DLLs from the current working directory↗2018-06-08

▶