Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x prior to 2018.1.1, Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2, were vulnerable to an attack where an unprivileged user on Windows agents could write custom facts that can escalate privileges on the next puppet run. This was possible through the loading of shared libraries from untrusted paths.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: puppet

Published: 2018-06-11T20:00:00Z

Updated: 2024-09-17T01:46:25.460Z

Reserved: 2018-02-01T00:00:00

Link: CVE-2018-6513

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-06-11T20:29:00.267

Modified: 2024-11-21T04:10:48.390

Link: CVE-2018-6513

cve-icon Redhat

No data.