CVE-2013-4956
First published: Tue Aug 20 2013(Updated: )
Puppet Module Tool (PMT), as used in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, installs modules with weak permissions if those permissions were used when the modules were originally built, which might allow local users to read or modify those modules depending on the original permissions.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet | =2.7.2 | |
| Puppet | =2.7.3 | |
| Puppet | =2.7.4 | |
| Puppet | =2.7.5 | |
| Puppet | =2.7.6 | |
| Puppet | =2.7.7 | |
| Puppet | =2.7.8 | |
| Puppet | =2.7.9 | |
| Puppet | =2.7.10 | |
| Puppet | =2.7.11 | |
| Puppet | =2.7.12 | |
| Puppet | =2.7.13 | |
| Puppet | =2.7.14 | |
| Puppet | =2.7.16 | |
| Puppet | =2.7.17 | |
| Puppet | =2.7.18 | |
| Puppet | =2.7.21 | |
| Puppet | =2.7.22 | |
| Puppet | =3.2.1 | |
| Puppet | =3.2.2 | |
| Puppet | =3.2.3 | |
| Puppet Enterprise | =2.8.0 | |
| Puppet Enterprise | =2.8.1 | |
| Puppet Enterprise | =2.8.2 | |
| Puppet Enterprise | =3.0.0 | |
| Puppet | =2.7.0 | |
| Puppet | =2.7.1 | |
| Puppet | =3.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2013-4956?
CVE-2013-4956 has been classified with medium severity, allowing potential local user access due to weak permissions.
How do I fix CVE-2013-4956?
To fix CVE-2013-4956, update Puppet to version 2.7.23 or later for 2.7.x series or 3.2.4 or later for 3.2.x series.
Who is affected by CVE-2013-4956?
CVE-2013-4956 affects Puppet versions 2.7.0 through 2.7.22, and 3.2.0 through 3.2.3, including Puppet Enterprise 2.8.0 through 2.8.2 and 3.0.0.
What kind of attack can be executed using CVE-2013-4956?
CVE-2013-4956 can allow local attackers to read files that should have restricted access due to weak module permissions.
Is CVE-2013-4956 a critical vulnerability?
CVE-2013-4956 is not classified as critical, but it poses a security risk that should be addressed promptly.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet
- version/puppet/2.7.2
- version/puppet/2.7.3
- version/puppet/2.7.4
- version/puppet/2.7.5
- version/puppet/2.7.6
- version/puppet/2.7.7
- version/puppet/2.7.8
- version/puppet/2.7.9
- version/puppet/2.7.10
- version/puppet/2.7.11
- version/puppet/2.7.12
- version/puppet/2.7.13
- version/puppet/2.7.14
- version/puppet/2.7.16
- version/puppet/2.7.17
- version/puppet/2.7.18
- version/puppet/2.7.21
- version/puppet/2.7.22
- version/puppet/3.2.1
- version/puppet/3.2.2
- version/puppet/3.2.3
- canonical/puppet enterprise
- version/puppet enterprise/2.8.0
- version/puppet enterprise/2.8.1
- version/puppet enterprise/2.8.2
- version/puppet enterprise/3.0.0
- vendor/puppetlabs
- version/puppet/2.7.0
- version/puppet/2.7.1
- version/puppet/3.2.0