CVE-2011-0528
medium
CVSS v3
—
CVSS v2
5.5
VIR risk
5.5
Description
Puppet 2.6.0 through 2.6.3 does not properly restrict access to node resources, which allows remote authenticated Puppet nodes to read or modify the resources of other nodes via unspecified vectors.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2011-0528
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | fixed | 2.6.2-3 |
References
- https://github.com/advisories/GHSA-9pvx-fwwh-w289
- http://www.mail-archive.com/puppet-users%40googlegroups.com/msg16429.html
- http://www.openwall.com/lists/oss-security/2011/01/27/6
- http://www.openwall.com/lists/oss-security/2011/01/31/5
- http://www.ubuntu.com/usn/USN-1365-1
- https://nvd.nist.gov/vuln/detail/CVE-2011-0528
- https://github.com/puppetlabs/puppet/commit/eee1a9cdaa5cab6222c8e6ab087d319f976fa4e3
- https://github.com/puppetlabs/puppet
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2011-0528.yml
- http://www.mail-archive.com/puppet-users@googlegroups.com/msg16429.html
- https://security-tracker.debian.org/tracker/CVE-2011-0528
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.