vulnerability CVE-2013-2065 CVE-2013-4287 CVE-2013-4957
Puppet Enterprise: four vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Puppet Enterprise.Impacted products:
BID-59881, BID-63173, BID-63386, CERTA-2013-AVI-592, CERTA-2013-AVI-681, CVE-2013-2065, CVE-2013-4287, CVE-2013-4957, CVE-2013-4965, VIGILANCE-VUL-13610.
Description of the vulnerability
Several vulnerabilities were announced in Puppet Enterprise.
An attacker can generate a large loop in RubyGems regular expressions, in order to trigger a denial of service. [severity:2/4; CVE-2013-4287]
An attacker can use a YAML report, in order to execute code. [severity:2/4; BID-63173, CVE-2013-4957]
An attacker can try several passwords with no limit, in order to guess a valid user's password. [severity:2/4; BID-63386, CVE-2013-4965]
When Ruby is in $SAFE mode, a DL/Fiddle function can be called on a tainted variable, which can lead to code execution (VIGILANCE-VUL-12799). [severity:2/4; BID-59881, CERTA-2013-AVI-681, CVE-2013-2065]Complete Vigil@nce bulletin....
Share this bulletin
Computer vulnerabilities tracking service
Vigil@nce provides computers vulnerabilities patches
. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.