{"api_version":"1","generated_at":"2026-06-10T16:27:59+00:00","cve":"CVE-2013-4966","urls":{"html":"https://cve.report/CVE-2013-4966","api":"https://cve.report/api/cve/CVE-2013-4966.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-4966","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-4966"},"summary":{"title":"CVE-2013-4966","description":"The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.","state":"PUBLISHED","assigner":"mitre","published_at":"2014-03-09 13:16:56","updated_at":"2026-05-06 22:30:45"},"problem_types":["CWE-287","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.4","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:N","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"}}],"references":[{"url":"http://www.securitytracker.com/id/1029873","name":"http://www.securitytracker.com/id/1029873","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Puppet Enterprise Bugs Let Remote Users Impersonate the Console and Obtain Potentially Sensitive Information - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://puppetlabs.com/security/cve/cve-2013-4966","name":"http://puppetlabs.com/security/cve/cve-2013-4966","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"],"title":"CVE-2013-4966 | Puppet Labs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-4966","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4966","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"4966","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"puppet","cpe5":"puppet_enterprise","cpe6":"3.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"4966","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"puppet","cpe5":"puppet_enterprise","cpe6":"3.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"4966","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"puppet","cpe5":"puppet_enterprise","cpe6":"3.1.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2013","cve_id":"4966","vulnerable":"1","versionEndIncluding":"3.1.1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"puppet","cpe5":"puppet_enterprise","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T16:59:41.115Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"1029873","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id/1029873"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"http://puppetlabs.com/security/cve/cve-2013-4966"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2014-03-04T00:00:00.000Z","descriptions":[{"lang":"en","value":"The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2014-03-07T19:57:00.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"1029873","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id/1029873"},{"tags":["x_refsource_CONFIRM"],"url":"http://puppetlabs.com/security/cve/cve-2013-4966"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2013-4966","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"1029873","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1029873"},{"name":"http://puppetlabs.com/security/cve/cve-2013-4966","refsource":"CONFIRM","url":"http://puppetlabs.com/security/cve/cve-2013-4966"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2013-4966","datePublished":"2014-03-07T20:00:00.000Z","dateReserved":"2013-07-29T00:00:00.000Z","dateUpdated":"2024-08-06T16:59:41.115Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2014-03-09 13:16:56","lastModifiedDate":"2026-05-06 22:30:45","problem_types":["CWE-287","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","baseScore":6.4,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE"},"baseSeverity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*","versionEndIncluding":"3.1.1","matchCriteriaId":"8AEC7422-1DDD-44DB-A9B3-129D673B34A3"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_enterprise:3.0.0:*:*:*:*:*:*:*","matchCriteriaId":"EE0A2F50-A73B-4598-BE73-1DDA1084352A"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_enterprise:3.0.1:*:*:*:*:*:*:*","matchCriteriaId":"F641A2B7-E90E-45DC-BCE0-E1776C1CF691"},{"vulnerable":true,"criteria":"cpe:2.3:a:puppet:puppet_enterprise:3.1.0:*:*:*:*:*:*:*","matchCriteriaId":"3CFF3B0A-2C66-445A-BB5C-136DCAA584FE"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"4966","Ordinal":"1","Title":"CVE-2013-4966","CVE":"CVE-2013-4966","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"4966","Ordinal":"1","NoteData":"The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console.","Type":"Description","Title":"CVE-2013-4966"},{"CveYear":"2013","CveId":"4966","Ordinal":"2","NoteData":"2014-03-07","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"4966","Ordinal":"3","NoteData":"2014-03-07","Type":"Other","Title":"Modified"}]}}}