In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retr…
In previous versions of Puppet Agent it was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from. This was resolved in Puppet Agent 5.3.4, included in Puppet Enterprise 2017.3.4
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.
https://cwe.mitre.org/data/definitions/203.html →Open in CWE collection →The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
https://cwe.mitre.org/data/definitions/269.html →Open in CWE collection →An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.
https://capec.mitre.org/data/definitions/58.html →Open in CAPEC collection →An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.
https://capec.mitre.org/data/definitions/122.html →Open in CAPEC collection →An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.
https://capec.mitre.org/data/definitions/189.html →Open in CAPEC collection →An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
https://capec.mitre.org/data/definitions/233.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| SOAPpy | Tracked | |
| SOAPpy | Tracked | |
| ansiblerole-insights-client | Tracked | |
| ansiblerole-insights-client | Tracked | |
| candlepin | Tracked | |
| candlepin | Tracked | |
| createrepo_c | Tracked | |
| createrepo_c | Tracked | |
| foreman | Tracked | |
| foreman | Tracked | |
| foreman-bootloaders-redhat | Tracked | |
| foreman-bootloaders-redhat | Tracked | |
| foreman-installer | Tracked | |
| foreman-installer | Tracked | |
| foreman-proxy | Tracked | |
| foreman-proxy | Tracked | |
| foreman-selinux | Tracked | |
| foreman-selinux | Tracked | |
| gofer | Tracked | |
| gofer | Tracked |