Puppet Enterprise < 3.1.0 Multiple Vulnerabilities
Medium Nessus Plugin ID 70684
SynopsisA web application on the remote host is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version number, the Puppet Enterprise install on the remote host is a version prior to 3.1.0. As a result, it is reportedly affected by multiple vulnerabilities :
- An error exists related to the Fiddle and DL modules, '$SAFE' level verification and object handling that could allow an attacker to modify system calls.
- A remote code execution vulnerability exists that is triggered when handling a YAML report. This could allow a remote attacker to execute arbitrary code.
- A console account brute-force vulnerability exists that could allow an attacker to brute-force a known user's password. (CVE-2013-4965)
- A RubyGems algorithmic complexity denial of service vulnerability exists that could allow an attacker to cause a denial of service through CPU consumption.
SolutionUpgrade to Puppet Enterprise 3.1.0 or later.