CVE-2018-6515 — Improper Input Validation in Puppet

CWE-20 — Improper Input Validation6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 55.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Agent

Timeline

PublishedJun 11

Latest updateMay 14

Description

Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Windows only, with a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5puppet/puppet_agentPuppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2

▶NVDpuppet/puppet1.10.0 — 1.10.13+2

🔴Vulnerability Details

GHSA

GHSA-5xw6-x436-6c39: Puppet Agent 1↗2022-05-14

▶

CVEList

CVE-2018-6515: Puppet Agent 1↗2018-06-11

▶

📋Vendor Advisories

Red Hat

puppet-agent: pxp-agent attempts to configure OpenSSL from uncontrolled location↗2018-06-07

▶

Debian

CVE-2018-6515: puppet - Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Pup...↗2018

▶

💬Community

Bugzilla

CVE-2018-6515 puppet-agent: pxp-agent attempts to configure OpenSSL from uncontrolled location↗2018-06-08

▶