Puppet Enterprise < 3.1.0 Multiple Vulnerabilities

medium Nessus Plugin ID 70684


A web application on the remote host is affected by multiple vulnerabilities.


According to its self-reported version number, the Puppet Enterprise install on the remote host is a version prior to 3.1.0. As a result, it is reportedly affected by multiple vulnerabilities :

- An error exists related to the Fiddle and DL modules, '$SAFE' level verification and object handling that could allow an attacker to modify system calls.

- A remote code execution vulnerability exists that is triggered when handling a YAML report. This could allow a remote attacker to execute arbitrary code.

- A console account brute-force vulnerability exists that could allow an attacker to brute-force a known user's password. (CVE-2013-4965)

- A RubyGems algorithmic complexity denial of service vulnerability exists that could allow an attacker to cause a denial of service through CPU consumption.


Upgrade to Puppet Enterprise 3.1.0 or later.

See Also





Plugin Details

Severity: Medium

ID: 70684

File Name: puppet_enterprise_310.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 10/29/2013

Updated: 1/19/2021

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:puppetlabs:puppet

Required KB Items: puppet/rest_port

Exploit Ease: No exploit is required

Patch Publication Date: 10/15/2013

Vulnerability Publication Date: 9/9/2013

Reference Information

CVE: CVE-2013-2065, CVE-2013-4287, CVE-2013-4957, CVE-2013-4965

BID: 59881, 62281, 63173, 63386