github - ghsa-vw22-465p-8j5w

ghsa-vw22-465p-8j5w

Vulnerability from github

Published

2022-05-13 01:41

Modified

2022-07-21 22:29

Severity

5.5 (Medium) - CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Summary

Tarball permission preservation in puppet

Details

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-10689"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T22:29:32Z",
    "nvd_published_at": "2018-02-09T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user\u0027s umask.\n\nWhen using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.\n",
  "id": "GHSA-vw22-465p-8j5w",
  "modified": "2022-07-21T22:29:32Z",
  "published": "2022-05-13T01:41:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10689"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:2927"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puppetlabs/puppet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2017-10689.yml"
    },
    {
      "type": "WEB",
      "url": "https://puppet.com/security/cve/CVE-2017-10689"
    },
    {
      "type": "WEB",
      "url": "https://tickets.puppetlabs.com/browse/PUP-7866"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3567-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Tarball permission preservation in puppet"
}

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask. When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Aliases

CVE-2017-10689

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-10689",
    "description": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.",
    "id": "GSD-2017-10689",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-10689.html",
      "https://access.redhat.com/errata/RHSA-2018:2927",
      "https://ubuntu.com/security/CVE-2017-10689",
      "https://advisories.mageia.org/CVE-2017-10689.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "puppet",
            "purl": "pkg:gem/puppet"
          }
        }
      ],
      "aliases": [
        "CVE-2017-10689",
        "GHSA-vw22-465p-8j5w"
      ],
      "details": "When installing a module using the system tar, the PMT will filter filesystem\npermissions to a sane value. This may just be based on the user\u0027s umask.\n\nWhen using minitar, files are unpacked with whatever permissions are in the\ntarball. This is potentially unsafe, as tarballs can be easily created with\nweird permissions.\n",
      "id": "GSD-2017-10689",
      "modified": "2022-05-13T00:00:00.000Z",
      "published": "2022-05-13T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://puppet.com/security/cve/CVE-2017-10689"
        },
        {
          "type": "WEB",
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        },
        {
          "type": "WEB",
          "url": "https://usn.ubuntu.com/3567-1/"
        },
        {
          "type": "WEB",
          "url": "https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee"
        },
        {
          "type": "WEB",
          "url": "https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1"
        },
        {
          "type": "WEB",
          "url": "https://tickets.puppetlabs.com/browse/PUP-7866"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Tarball permission preservation in puppet"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@puppet.com",
        "DATE_PUBLIC": "2018-02-05T00:00:00",
        "ID": "CVE-2017-10689",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Puppet Enterprise",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "prior to 2016.4.10 or 2017.3.4"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Puppet Agent",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "prior to 5.3.4 or 1.10.10"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Puppet"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Incorrect Permission Handling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "USN-3567-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/3567-1/"
          },
          {
            "name": "https://puppet.com/security/cve/CVE-2017-10689",
            "refsource": "CONFIRM",
            "url": "https://puppet.com/security/cve/CVE-2017-10689"
          },
          {
            "name": "RHSA-2018:2927",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2017-10689",
      "cvss_v3": 5.5,
      "date": "2022-05-13",
      "description": "When installing a module using the system tar, the PMT will filter filesystem\npermissions to a sane value. This may just be based on the user\u0027s umask.\n\nWhen using minitar, files are unpacked with whatever permissions are in the\ntarball. This is potentially unsafe, as tarballs can be easily created with\nweird permissions.\n",
      "gem": "puppet",
      "ghsa": "vw22-465p-8j5w",
      "patched_versions": [
        "~\u003e 4.10.10",
        "\u003e= 5.3.4"
      ],
      "related": {
        "url": [
          "https://access.redhat.com/errata/RHSA-2018:2927",
          "https://usn.ubuntu.com/3567-1/",
          "https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee",
          "https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1",
          "https://tickets.puppetlabs.com/browse/PUP-7866"
        ]
      },
      "title": "Tarball permission preservation in puppet",
      "url": "https://puppet.com/security/cve/CVE-2017-10689"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.10.10||\u003e=5.0.0 \u003c5.3.4",
          "affected_versions": "All versions before 4.10.10, all versions starting from 5.0.0 before 5.3.4",
          "cvss_v2": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-269",
            "CWE-937"
          ],
          "date": "2022-07-22",
          "description": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.",
          "fixed_versions": [
            "4.10.10",
            "5.3.4"
          ],
          "identifier": "CVE-2017-10689",
          "identifiers": [
            "GHSA-vw22-465p-8j5w",
            "CVE-2017-10689"
          ],
          "not_impacted": "All versions starting from 4.10.10 before 5.0.0, all versions starting from 5.3.4",
          "package_slug": "gem/puppet",
          "pubdate": "2022-05-13",
          "solution": "Upgrade to versions 4.10.10, 5.3.4 or above.",
          "title": "Improper Privilege Management",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-10689",
            "https://access.redhat.com/errata/RHSA-2018:2927",
            "https://puppet.com/security/cve/CVE-2017-10689",
            "https://usn.ubuntu.com/3567-1/",
            "https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee",
            "https://github.com/puppetlabs/puppet/commit/2f1047f85e22cde139a421bc25d371f2ffc92cb1",
            "https://tickets.puppetlabs.com/browse/PUP-7866",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2017-10689.yml",
            "https://github.com/advisories/GHSA-vw22-465p-8j5w"
          ],
          "uuid": "1746140e-f6bc-4d70-a49e-3c1f53abdc73"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.10.10",
                "versionStartIncluding": "1.10.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2017.3.4",
                "versionStartIncluding": "2017.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.3.4",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2016.4.10",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "ID": "CVE-2017-10689"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-269"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://puppet.com/security/cve/CVE-2017-10689",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://puppet.com/security/cve/CVE-2017-10689"
            },
            {
              "name": "USN-3567-1",
              "refsource": "UBUNTU",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://usn.ubuntu.com/3567-1/"
            },
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2018-02-09T20:29Z"
    }
  }
}

cve-2017-10689

Vulnerability from cvelistv5

Published

2018-02-09 20:00

Modified

2024-09-17 00:20

Severity

Summary

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

References

URL	Tags
https://usn.ubuntu.com/3567-1/	vendor-advisory, x_refsource_UBUNTU
https://puppet.com/security/cve/CVE-2017-10689	x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2927	vendor-advisory, x_refsource_REDHAT

Impacted products

Vendor	Product
Puppet	Puppet Enterprise
Puppet	Puppet Agent

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:41:55.627Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-3567-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3567-1/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://puppet.com/security/cve/CVE-2017-10689"
          },
          {
            "name": "RHSA-2018:2927",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:2927"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Puppet Enterprise",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 2016.4.10 or 2017.3.4"
            }
          ]
        },
        {
          "product": "Puppet Agent",
          "vendor": "Puppet",
          "versions": [
            {
              "status": "affected",
              "version": "prior to 5.3.4 or 1.10.10"
            }
          ]
        }
      ],
      "datePublic": "2018-02-05T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Incorrect Permission Handling",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-17T09:57:01",
        "orgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
        "shortName": "puppet"
      },
      "references": [
        {
          "name": "USN-3567-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3567-1/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://puppet.com/security/cve/CVE-2017-10689"
        },
        {
          "name": "RHSA-2018:2927",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:2927"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@puppet.com",
          "DATE_PUBLIC": "2018-02-05T00:00:00",
          "ID": "CVE-2017-10689",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Puppet Enterprise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 2016.4.10 or 2017.3.4"
                          }
                        ]
                      }
                    },
                    {
                      "product_name": "Puppet Agent",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "prior to 5.3.4 or 1.10.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Puppet"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Incorrect Permission Handling"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-3567-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3567-1/"
            },
            {
              "name": "https://puppet.com/security/cve/CVE-2017-10689",
              "refsource": "CONFIRM",
              "url": "https://puppet.com/security/cve/CVE-2017-10689"
            },
            {
              "name": "RHSA-2018:2927",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:2927"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ca2a266c-be2f-4d4b-92d0-47b76b1a9c4e",
    "assignerShortName": "puppet",
    "cveId": "CVE-2017-10689",
    "datePublished": "2018-02-09T20:00:00Z",
    "dateReserved": "2017-06-29T00:00:00",
    "dateUpdated": "2024-09-17T00:20:43.149Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

ghsa-vw22-465p-8j5w

Vulnerability from github

gsd-2017-10689

Vulnerability from gsd

cve-2017-10689

Vulnerability from cvelistv5

Tags