Privilege Escalation

Affecting puppet gem, versions <5.3.7 || >=5.4.0, <5.5.2

Overview

puppet is a Server automation framework and application.

Affected versions of this package are vulnerable to Privilege Escalation. An unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run.

Remediation

Upgrade puppet to versions 5.3.7, 5.5.2 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Unknown
CVE
CVE-2018-6513
CWE
CWE-264
Snyk ID
SNYK-RUBY-PUPPET-22030
Disclosed
07 Jun, 2018
Published
17 Jun, 2018