cnvd - cnvd-2016-00176

CNVD-2016-00176

Vulnerability from cnvd - Published: 2016-01-13

Title

Puppet Enterprise Puppet Server信息泄露漏洞

Description

Puppet Server是美国Puppet实验室的一套基于客户端/服务器（C/S）架构的配置管理工具。该工具可用于管理配置文件、用户、cron任务、软件包、系统服务等。 Puppet Enterprise 3.8.3之前3.8.x版本和2015.2.3之前2015.2.x版本的Puppet Server中存在安全漏洞，该漏洞源于在初始安装和配置期间，程序为Certification Authority(CA)证书的私钥分配全局可读权限。本地攻击者可利用该漏洞获取敏感信息。

Severity

低

Patch Name

Puppet Enterprise Puppet Server信息泄露漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接： https://puppetlabs.com/security/cve/cve-2015-7328

Reference

https://puppetlabs.com/security/cve/cve-2015-7328

Impacted products

Name
['Puppet Enterprise 3.8.x(<3.8.3)', 'Puppet Enterprise 2015.2.x(<2015.2.3)']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-7328"
    }
  },
  "description": "Puppet Server\u662f\u7f8e\u56fdPuppet\u5b9e\u9a8c\u5ba4\u7684\u4e00\u5957\u57fa\u4e8e\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\uff08C/S\uff09\u67b6\u6784\u7684\u914d\u7f6e\u7ba1\u7406\u5de5\u5177\u3002\u8be5\u5de5\u5177\u53ef\u7528\u4e8e\u7ba1\u7406\u914d\u7f6e\u6587\u4ef6\u3001\u7528\u6237\u3001cron\u4efb\u52a1\u3001\u8f6f\u4ef6\u5305\u3001\u7cfb\u7edf\u670d\u52a1\u7b49\u3002\r\n\r\nPuppet Enterprise 3.8.3\u4e4b\u524d3.8.x\u7248\u672c\u548c2015.2.3\u4e4b\u524d2015.2.x\u7248\u672c\u7684Puppet Server\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u521d\u59cb\u5b89\u88c5\u548c\u914d\u7f6e\u671f\u95f4\uff0c\u7a0b\u5e8f\u4e3aCertification Authority(CA)\u8bc1\u4e66\u7684\u79c1\u94a5\u5206\u914d\u5168\u5c40\u53ef\u8bfb\u6743\u9650\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "unknown",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://puppetlabs.com/security/cve/cve-2015-7328",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00176",
  "openTime": "2016-01-13",
  "patchDescription": "Puppet Server\u662f\u7f8e\u56fdPuppet\u5b9e\u9a8c\u5ba4\u7684\u4e00\u5957\u57fa\u4e8e\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\uff08C/S\uff09\u67b6\u6784\u7684\u914d\u7f6e\u7ba1\u7406\u5de5\u5177\u3002\u8be5\u5de5\u5177\u53ef\u7528\u4e8e\u7ba1\u7406\u914d\u7f6e\u6587\u4ef6\u3001\u7528\u6237\u3001cron\u4efb\u52a1\u3001\u8f6f\u4ef6\u5305\u3001\u7cfb\u7edf\u670d\u52a1\u7b49\u3002\r\n\r\nPuppet Enterprise 3.8.3\u4e4b\u524d3.8.x\u7248\u672c\u548c2015.2.3\u4e4b\u524d2015.2.x\u7248\u672c\u7684Puppet Server\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u521d\u59cb\u5b89\u88c5\u548c\u914d\u7f6e\u671f\u95f4\uff0c\u7a0b\u5e8f\u4e3aCertification Authority(CA)\u8bc1\u4e66\u7684\u79c1\u94a5\u5206\u914d\u5168\u5c40\u53ef\u8bfb\u6743\u9650\u3002\u672c\u5730\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Puppet Enterprise Puppet Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Puppet   Enterprise 3.8.x(\u003c3.8.3)",
      "Puppet   Enterprise 2015.2.x(\u003c2015.2.3)"
    ]
  },
  "referenceLink": "https://puppetlabs.com/security/cve/cve-2015-7328",
  "serverity": "\u4f4e",
  "submitTime": "2016-01-12",
  "title": "Puppet Enterprise Puppet Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2015-7328 (GCVE-0-2015-7328)

Vulnerability from cvelistv5 – Published: 2016-01-08 19:00 – Updated: 2024-08-06 07:43

Summary

Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://puppetlabs.com/security/cve/cve-2015-7328

x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T07:43:46.219Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppetlabs.com/security/cve/cve-2015-7328"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-11-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-01-08T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppetlabs.com/security/cve/cve-2015-7328"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-7328",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppetlabs.com/security/cve/cve-2015-7328",
              "refsource": "CONFIRM",
              "url": "https://puppetlabs.com/security/cve/cve-2015-7328"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-7328",
    "datePublished": "2016-01-08T19:00:00",
    "dateReserved": "2015-09-23T00:00:00",
    "dateUpdated": "2024-08-06T07:43:46.219Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-00176

CVE-2015-7328 (GCVE-0-2015-7328)

Tags

Sightings

Nomenclature