CVE-2013-4966
Summary
| CVE | CVE-2013-4966 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-03-09 13:16:56 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
NoneAV:N/AC:L/Au:N/C:P/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Puppet | Puppet Enterprise | 3.0.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | 3.0.1 | All | All | All |
| Application | Puppet | Puppet Enterprise | 3.1.0 | All | All | All |
| Application | Puppet | Puppet Enterprise | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Puppet Enterprise Bugs Let Remote Users Impersonate the Console and Obtain Potentially Sensitive Information - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| CVE-2013-4966 | Puppet Labs | af854a3a-2127-422b-91ae-364da2661108 | puppetlabs.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.