18.1.0

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

puppet

NVD

Published: 2018-06-14

Updated: 2019-10-03

Summary

On Windows only, with a specifically crafted configuration file an attacker could get Puppet PE client tools (aka pe-client-tools) 16.4.x prior to 16.4.6, 17.3.x prior to 17.3.6, and 18.1.x prior to 18.1.2 to load arbitrary code with privilege escalation.

Vulnerable Configurations

Part	Description	Count
Application	Puppet Puppet Puppet Enterprise Client Tools 16.4.0 Puppet Puppet Enterprise Client Tools 17.3.0 Puppet Puppet Enterprise Client Tools 18.1.0	3
OS	Microsoft Microsoft Windows -	1

References

https://puppet.com/security/cve/CVE-2018-6516