Main Vulnerability Database Vulnerabilities #VU42649

#VU42649 Credentials management in Puppet Enterprise - CVE-2013-4962

Published: August 21, 2013 / Updated: August 10, 2020

Vulnerability identifier: #VU42649

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2013-4962

CWE-ID: CWE-255

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Puppet Enterprise

Software vendor:
Puppet Labs

Description

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The reset password page in Puppet Enterprise before 3.0.1 does not force entry of the current password, which allows attackers to modify user passwords by leveraging session hijacking, an unattended workstation, or other vectors.

Remediation

Install update from vendor's website.

External links

http://puppetlabs.com/security/cve/cve-2013-4962/