First published: Tue Aug 20 2013(Updated: )
The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Puppet Puppet Enterprise | <=3.0.0 | |
Puppet Puppet Enterprise | =2.5.1 | |
Puppet Puppet Enterprise | =2.5.2 | |
Puppet Puppet Enterprise | =2.8.0 | |
Puppet Puppet Enterprise | =2.8.1 | |
Puppet Puppet Enterprise | =2.8.2 | |
Puppet Puppet Enterprise | =2.8.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.