GHSA-92v7-pq4h-58j5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-92v7-pq4h-58j5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-92v7-pq4h-58j5/GHSA-92v7-pq4h-58j5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-92v7-pq4h-58j5
- Aliases
- Published
- 2017-10-24T18:33:36Z
- Modified
- 2024-02-17T05:33:12.028080Z
- Summary
- facter, hiera, mcollective-client, and puppet affected by untrusted search path vulnerability
- Details
-
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1)
rubygems/defaults/operating_system.rb, (2)Win32API.rb, (3)Win32API.so, (4)safe_yaml.rb, (5)safe_yaml/deep.rb, or (6)safe_yaml/deep.so; or (7)operatingsystem.rb, (8)operatingsystem.so, (9)osfamily.rb, or (10)osfamily.soinpuppet/confine. - References
-
- https://nvd.nist.gov/vuln/detail/CVE-2014-3248
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml
- https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035
- https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet
- https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248
Affected packages
RubyGems / facter
Package
- Name
- facter
- Purl
- pkg:gem/facter
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.7.6
Affected versions
1.*
1.0.1
1.1.1
1.3.3
1.3.7
1.3.8
1.5
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12.rc1
1.6.12.rc2
1.6.12
1.6.13.rc1
1.6.13
1.6.14.rc1
1.6.14
1.6.15.rc1
1.6.15
1.6.16
1.6.17.rc1
1.6.17
1.6.18.rc1
1.6.18
1.7.0.rc1
1.7.0.rc2
1.7.0
1.7.1.rc1
1.7.1
1.7.2.rc1
1.7.2
1.7.3.rc1
1.7.3
1.7.4.rc1
1.7.4
1.7.5.rc1
1.7.5.rc2
1.7.5
RubyGems / facter
Package
- Name
- facter
- Purl
- pkg:gem/facter
RubyGems / hiera
Package
- Name
- hiera
- Purl
- pkg:gem/hiera
RubyGems / puppet
Package
- Name
- puppet
- Purl
- pkg:gem/puppet
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.26
Affected versions
0.*
0.9.2
0.13.0
0.13.1
0.13.2
0.13.6
0.16.0
0.18.4
0.22.4
0.23.0
0.23.1
0.23.2
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
0.24.7
0.24.8
0.24.9
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.25.5
2.*
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.6.18
2.7.1
2.7.3
2.7.4
2.7.5
2.7.6
2.7.8
2.7.9
2.7.11
2.7.12
2.7.13
2.7.14
2.7.16
2.7.17
2.7.18
2.7.19
2.7.20.rc1
2.7.20
2.7.21
2.7.22
2.7.23
2.7.24
2.7.25
RubyGems / puppet
Package
- Name
- puppet
- Purl
- pkg:gem/puppet
Affected versions
3.*
3.0.0
3.0.1.rc1
3.0.1
3.0.2.rc1
3.0.2.rc2
3.0.2.rc3
3.0.2
3.1.0.rc1
3.1.0.rc2
3.1.0
3.1.1
3.2.0.rc1
3.2.0.rc2
3.2.1.rc1
3.2.1
3.2.2
3.2.3.rc1
3.2.3
3.2.4
3.3.0.rc2
3.3.0.rc3
3.3.0
3.3.1.rc1
3.3.1.rc2
3.3.1.rc3
3.3.1
3.3.2
3.4.0.rc1
3.4.0.rc2
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0.rc1
3.5.0.rc2
3.5.0.rc3
3.5.1.rc1
3.5.1
3.6.0.rc1
3.6.0
3.6.1
RubyGems / mcollective-client
Package
- Name
- mcollective-client
- Purl
- pkg:gem/mcollective-client