SynopsisA configuration management application running on the remote host has multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the version of Puppet Open Source or Puppet Enterprise running on the remote host has the following vulnerabilities :
- A vulnerability that allows an authenticated client to execute arbitrary code on a puppet master.
- A vulnerability that allows an authenticated client to connect to a puppet master and perform unauthorized actions. (CVE-2013-1652)
- A vulnerability that would allow a man-in-the-middle attacker to downgrade an HTTPS connection to use SSLv2.
- A vulnerability that allows an authenticated node to submit a report for any other node. This issue only affects puppet masters 0.25.0 and above. (CVE-2013-2275)
SolutionUpgrade Puppet Open Source to 2.6.18 / 2.7.21 / 3.1.1 or later.
Upgrade Puppet Enterprise to 1.2.7 / 2.7.2 or later.