Описание
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.
Ссылки
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
- Vendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.7.2 (включая)
Одно из
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_enterprise:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_enterprise:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:puppetlabs:puppet:1.0.0:-:enterprise:*:*:*:*:*
cpe:2.3:a:puppetlabs:puppet:1.1.0:-:enterprise:*:*:*:*:*
cpe:2.3:a:puppetlabs:puppet:1.2.0:-:enterprise:*:*:*:*:*
cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:*:*:*:*:*
cpe:2.3:a:puppetlabs:puppet:2.6.0:-:enterprise:*:*:*:*:*
EPSS
Процентиль: 53%
0.00298
Низкий
5 Medium
CVSS2
Дефекты
CWE-310
Связанные уязвимости
github
больше 3 лет назад
Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.
EPSS
Процентиль: 53%
0.00298
Низкий
5 Medium
CVSS2
Дефекты
CWE-310