CVE-2014-3248
The MITRE CVE dictionary describes this issue as:
Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Find out more about CVE-2014-3248 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue did not affect the versions of Puppet, Mcollective, Facter, or Hiera as shipped with various Red Hat Enterprise products as they all run on top of Ruby 1.9.3 or later.
CVSS v2 metrics
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.4 |
|---|---|
| Base Metrics | AV:L/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Local |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | ruby193-puppet | Not affected |
| Red Hat Satellite 6 | puppet | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) | puppet | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 4.0 | puppet | Not affected |
| Red Hat Enterprise Linux OpenStack Platform 3.0 | puppet | Will not fix |
Acknowledgements
Red Hat would like to thank Puppet Labs for reporting this issue. Upstream acknowledges Dennis Rowe (shr3kst3r) as the original reporter.External References
CVE description copyright © 2017, The MITRE Corporation