CVE-2014-3248
Published: 16 November 2014
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Priority
Status
Package | Release | Status |
---|---|---|
facter Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(2.0.1-1ubuntu1)
|
impish |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
jammy |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
artful |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
bionic |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
cosmic |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
disco |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
eoan |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
focal |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
groovy |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
hirsute |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
kinetic |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
precise |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Needed
|
|
upstream |
Released
(2.0.1-1)
|
|
utopic |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
wily |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
xenial |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
yakkety |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
zesty |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
mantic |
Not vulnerable
(2.0.1-1ubuntu1)
|
|
mcollective Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(2.5.2+dfsg-1)
|
|
cosmic |
Not vulnerable
(2.5.2+dfsg-1)
|
|
impish |
Not vulnerable
(2.5.2+dfsg-1)
|
|
jammy |
Not vulnerable
(2.5.2+dfsg-1)
|
|
vivid |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(2.5.2+dfsg-1)
|
|
eoan |
Not vulnerable
(2.5.2+dfsg-1)
|
|
focal |
Not vulnerable
(2.5.2+dfsg-1)
|
|
groovy |
Not vulnerable
(2.5.2+dfsg-1)
|
|
hirsute |
Not vulnerable
(2.5.2+dfsg-1)
|
|
kinetic |
Not vulnerable
(2.5.2+dfsg-1)
|
|
lucid |
Does not exist
|
|
lunar |
Not vulnerable
(2.5.2+dfsg-1)
|
|
precise |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Not vulnerable
(2.5.2+dfsg-1)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Not vulnerable
(2.5.2+dfsg-1)
|
|
puppet Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(3.8.5-2)
|
jammy |
Not vulnerable
(3.8.5-2)
|
|
artful |
Not vulnerable
(3.8.5-2)
|
|
bionic |
Not vulnerable
(3.8.5-2)
|
|
cosmic |
Not vulnerable
(3.8.5-2)
|
|
disco |
Not vulnerable
(3.8.5-2)
|
|
eoan |
Not vulnerable
(3.8.5-2)
|
|
focal |
Not vulnerable
(3.8.5-2)
|
|
groovy |
Not vulnerable
(3.8.5-2)
|
|
hirsute |
Not vulnerable
(3.8.5-2)
|
|
kinetic |
Not vulnerable
(3.8.5-2)
|
|
lucid |
Ignored
(end of life)
|
|
lunar |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Released
(3.4.3-1ubuntu1.2)
|
|
upstream |
Needs triage
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Not vulnerable
(3.7.2-5ubuntu2)
|
|
xenial |
Not vulnerable
(3.8.5-2)
|
|
yakkety |
Not vulnerable
(3.8.5-2)
|
|
zesty |
Not vulnerable
(3.8.5-2)
|
|
mantic |
Does not exist
|
|
Patches: upstream: https://github.com/puppetlabs/puppet/commit/1d1e1eac451fdd277ff1601b3fb635dcb713c7be |
||
ruby-hiera Launchpad, Ubuntu, Debian |
impish |
Does not exist
|
jammy |
Does not exist
|
|
artful |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
kinetic |
Does not exist
|
|
lucid |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Does not exist
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was needed)
|
|
upstream |
Needs triage
|
|
utopic |
Does not exist
|
|
vivid |
Does not exist
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
mantic |
Does not exist
|