saigkill/hoe-packaging:Gemfile.lock

Vulnerabilities 6 via 6 paths
Dependencies 29
Source GitHub
Commit 486639a3

Find, fix and prevent vulnerabilities in your code.

Severity
  • 4
  • 2
Status
  • 6
  • 0
  • 0
high severity

Arbitrary Code Loading

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is an an automated configuration management tool.

Affected versions of this package are vulnerable to Arbitrary Code Loading. With a specially crafted configuration file an attacker could get pxp-agent to load arbitrary code with privilege escalation.

Remediation

Upgrade puppet to versions 5.3.7, 5.5.2 or higher.

References

high severity
new

Deserialization of Untrusted Data

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is an automated configuration management tool.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. It allows deserializing data off the wire (from the agent to the server, in this case) with an attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Remediation

Upgrade puppet to version 4.10.1 or higher.

References

high severity

Privilege Escalation

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is a Server automation framework and application.

Affected versions of this package are vulnerable to DLL preloading attacks which could lead to a privilege escalation.

Remediation

Upgrade puppet to versions 5.3.7, 5.5.2 or higher.

References

high severity

Privilege Escalation

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is a Server automation framework and application.

Affected versions of this package are vulnerable to Privilege Escalation. An unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run.

Remediation

Upgrade puppet to versions 5.3.7, 5.5.2 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is an automated administrative engine for your Linux, Unix, and Windows systems, performs administrative tasks based on a centralized specification.

Affected versions of this package are vulnerable to Information Exposure. It was possible for the agent to retrieve facts from an environment that it was not classified to retrieve from.

Remediation

Upgrade puppet to version 5.3.4 or higher.

References

medium severity

Insecure Permissions

  • Vulnerable module: puppet
  • Introduced through: hoe-packaging@1.2.5

Detailed paths

  • Introduced through: saigkill/hoe-packaging:Gemfile.lock@saigkill/hoe-packaging#486639a34314e40448a3927a43fc1b13a5a89a9c hoe-packaging@1.2.5 fpm-cookery@0.33.0 puppet@3.6.2
    Remediation: Upgrade to hoe-packaging@1.2.5.

Overview

puppet is an automated administrative engine for your Linux, Unix, and Windows systems, performs administrative tasks based on a centralized specification.

Affected versions of this package are vulnerable to Insecure Permissions. It was possible to install a module with world writable permissions.

Remediation

Upgrade puppet to version 5.3.4 or higher.

References