Vulnerabilities > CVE-2013-1398 - Cryptographic Issues vulnerability in multiple products

CVSS 8.5 - HIGH

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

puppet

puppetlabs

CWE-310

NVD

Published: 2014-03-14

Updated: 2019-07-10

Summary

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of private SSL keys, which allows remote authenticated users to obtain sensitive information and gain privileges by leveraging root access to a node, related to the master role.

Vulnerable Configurations

Part	Description	Count
Application	Puppet Puppet Puppet Enterprise 2.0.0 Puppet Puppet Enterprise 2.5.1 Puppet Puppet Enterprise 2.5.2 Puppet Puppet Enterprise 1.0 Puppet Puppet Enterprise 1.1 Puppet Puppet Enterprise 1.2.0 Puppet Puppet Enterprise 1.2.1 Puppet Puppet Enterprise 1.2.2 Puppet Puppet Enterprise 1.2.3 Puppet Puppet Enterprise 1.2.4 Puppet Puppet Enterprise 1.2.5 Puppet Puppet Enterprise 1.2.6 Puppet Puppet Enterprise 1.2.7 Puppet Puppet Enterprise 2.0.1 Puppet Puppet Enterprise 2.0.2 Puppet Puppet Enterprise 2.0.3 Puppet Puppet Enterprise 2.5.0 Puppet Puppet Enterprise 2.5.3 Puppet Puppet Enterprise 2.6.0 Puppet Puppet Enterprise 2.6.1 Puppet Puppet Enterprise 2.7.0	21
Application	Puppetlabs Puppetlabs Puppet 2.5.0 Puppetlabs Puppet 2.6.0	2

Common Weakness Enumeration (CWE)

CWE-310 - Cryptographic Issues

Common Attack Pattern Enumeration and Classification (CAPEC)

Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

References

http://puppetlabs.com/security/cve/cve-2013-1398