Miggo Logo

CVE-2011-0528: Puppet does not properly restrict access to node resources

5.5

CVSS Score

Basic Information

EPSS Score
0.49872%
Published
5/14/2022
Updated
1/19/2024
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
puppetrubygems>= 2.6.0, <= 2.6.32.6.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the absence of the auth.conf configuration file in Puppet installations via certain methods (e.g., gems, source) in versions 2.6.0-2.6.3. The commit diff shows that the fix involved adding code to install auth.conf by default. The vulnerability itself is not caused by a specific function in the Puppet codebase but rather by the lack of proper access control configuration (auth.conf) during installation. The missing auth.conf file led to improper access control defaults, allowing authenticated nodes to access unauthorized resources. No specific functions in the Puppet runtime code were identified as directly vulnerable with high confidence; the issue is configuration-related rather than a flaw in a particular function's implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pupp*t *.*.* t*rou** *.*.* *o*s not prop*rly r*stri*t ****ss to no** r*sour**s, w*i** *llows r*mot* *ut**nti**t** Pupp*t no**s to r*** or mo*i*y t** r*sour**s o* ot**r no**s vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility st*ms *rom t** **s*n** o* t** `*ut*.*on*` *on*i*ur*tion *il* in Pupp*t inst*ll*tions vi* **rt*in m*t*o*s (*.*., **ms, sour**) in v*rsions *.*.*-*.*.*. T** *ommit *i** s*ows t**t t** *ix involv** ***in* *o** to inst*ll `*ut*.*on*` *y