Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
  home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability CVE-2013-2065 CVE-2013-4287 CVE-2013-4957

Puppet Enterprise: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Puppet Enterprise.
Impacted products: Puppet.
Severity: 2/4.
Creation date: 16/10/2013.
Revision date: 19/12/2013.
Identifiers: BID-59881, BID-63173, BID-63386, CERTA-2013-AVI-592, CERTA-2013-AVI-681, CVE-2013-2065, CVE-2013-4287, CVE-2013-4957, CVE-2013-4965, VIGILANCE-VUL-13610.

Description of the vulnerability

Several vulnerabilities were announced in Puppet Enterprise.

An attacker can generate a large loop in RubyGems regular expressions, in order to trigger a denial of service. [severity:2/4; CVE-2013-4287]

An attacker can use a YAML report, in order to execute code. [severity:2/4; BID-63173, CVE-2013-4957]

An attacker can try several passwords with no limit, in order to guess a valid user's password. [severity:2/4; BID-63386, CVE-2013-4965]

When Ruby is in $SAFE mode, a DL/Fiddle function can be called on a tainted variable, which can lead to code execution (VIGILANCE-VUL-12799). [severity:2/4; BID-59881, CERTA-2013-AVI-681, CVE-2013-2065]
Complete Vigil@nce bulletin.... (free access)

Share this bulletin

Delicious Digg Facebook Google bookmarks LinkedIn Mail Reddit StumbleUpon Technorati Twitter 

Computer vulnerabilities tracking service

Vigil@nce provides computers vulnerabilities patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.



















Copyright 1999-2014 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française