Vulnerability CVE-2017-10689

Vulnerability Name:

CVE-2017-10689 (CCN-139449)

Assigned:

2017-06-29

Published:

2018-02-05

Updated:

2019-10-03

Summary:

In previous versions of Puppet Agent it was possible to install a module with world writable permissions. Puppet Agent 5.3.4 and 1.10.10 included a fix to this vulnerability.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

2.8 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
2.5 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-269

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-10689

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:2927

Source: XF
Type: UNKNOWN
puppet-cve201710689-weak-security(139449)

Source: CCN
Type: Puppet Web site
CVE-2017-10689 - Insecure permissions on some modules when installing with PE

Source: CONFIRM
Type: Vendor Advisory
https://puppet.com/security/cve/CVE-2017-10689

Source: UBUNTU
Type: Third Party Advisory
USN-3567-1

Vulnerable Configuration:

Configuration 1:

cpe:/a:puppet:puppet:*:*:*:*:*:*:*:* (Version >= 1.10.0 and < 1.10.10)

OR cpe:/a:puppet:puppet:*:*:*:*:*:*:*:* (Version < 5.3.4)

OR cpe:/a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* (Version < 2016.4.10)

OR cpe:/a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* (Version >= 2017.1.0 and < 2017.3.4)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Configuration 3:

cpe:/a:redhat:satellite:6.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:puppet:puppet:2015.2.0::~~enterprise~~~:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201710689	V	CVE-2017-10689	2022-09-02
oval:org.opensuse.security:def:6346	P	Security update for libEMF (Moderate) (in QA)	2022-08-29
oval:org.opensuse.security:def:123912	P	puppet-3.8.5-15.9.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:6331	P	Security update for the Linux Kernel (Important)	2022-05-16
oval:org.opensuse.security:def:55285	P	Security update for log4j (Important)	2021-12-17
oval:org.opensuse.security:def:6238	P	Security update for netcdf (Important)	2021-11-25
oval:org.opensuse.security:def:55269	P	Security update for postgresql, postgresql13, postgresql14 (Important)	2021-11-20
oval:org.opensuse.security:def:6216	P	Security update for qemu (Important)	2021-11-03
oval:org.opensuse.security:def:6208	P	Security update for ncurses (Moderate)	2021-10-20
oval:org.opensuse.security:def:7189	P	Security update for the Linux Kernel (Live Patch 9 for SLE 15 SP2) (Important)	2021-10-14
oval:org.opensuse.security:def:7167	P	Security update for the Linux Kernel (Live Patch 8 for SLE 15 SP2) (Important)	2021-09-16
oval:org.opensuse.security:def:55231	P	Security update for MozillaFirefox (Important)	2021-08-17
oval:org.opensuse.security:def:13795	P	cups-1.7.5-12.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14702	P	logrotate-3.11.0-2.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13996	P	pam-1.1.8-14.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13843	P	gv-3.7.4-1.36 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14725	P	patch-2.7.5-8.5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14064	P	xinetd-2.3.15-7.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13971	P	libvdpau1-1.1.1-6.73 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13796	P	cups-filters-1.0.58-13.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14703	P	logwatch-7.4.3-15.65 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13997	P	pam-modules-12.1-23.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14051	P	update-alternatives-1.18.4-14.216 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13878	P	libXrender1-0.9.8-3.55 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14065	P	xlockmore-5.43-5.30 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13972	P	libvirt-2.0.0-26.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14040	P	supportutils-3.0-85.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13859	P	kernel-default-4.4.21-69.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14052	P	vino-3.20.2-5.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13879	P	libXt6-1.1.4-3.57 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13842	P	guestfs-data-1.32.4-14.18 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14724	P	pam_yubico-2.26-1.25 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14041	P	sysconfig-0.84.0-13.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13860	P	krb5-1.12.5-39.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:6284	P	Security update for caribou (Important)	2021-06-10
oval:org.opensuse.security:def:12617	P	libraw9-0.15.4-21.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12355	P	sysconfig-0.84.0-13.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12194	P	libecpg6-9.6.3-2.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:77993	P	puppet-3.8.5-15.9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12393	P	aaa_base-13.2+git20140911.61c1681-38.8.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12693	P	pidgin-plugin-otr-4.0.2-1.29 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12385	P	yast2-core-3.2.2-1.29 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12542	P	libexif12-0.6.21-8.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13728	P	strongswan-5.1.3-18.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12179	P	libXtst6-1.2.2-7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12684	P	pcsc-ccid-1.4.25-4.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12523	P	libXt6-1.1.4-3.59 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13706	P	python-cupshelpers-1.4.5-1.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13698	P	perl-XML-LibXML-2.0019-5.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12132	P	gstreamer-0_10-plugins-bad-0.10.23-25.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13729	P	stunnel-5.00-3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12313	P	pam_krb5-2.4.4-4.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12508	P	libSoundTouch0-1.7.1-5.3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13366	P	libgudev-1_0-0-210-44.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12086	P	cups-pk-helper-0.2.5-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12377	P	xfsprogs-4.3.0-12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13707	P	python-imaging-1.1.7-21.15 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12288	P	libwmf-0_2-7-0.2.8.4-242.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13699	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12461	P	gnome-online-accounts-3.20.5-9.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:13344	P	libXt6-1.1.4-3.57 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12642	P	libvirt-4.0.0-6.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12697	P	puppet-3.8.5-15.9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12064	P	audiofile-0.3.6-10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12364	P	unrar-5.0.14-3.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12056	P	MozillaFirefox-52.2.0esr-108.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12213	P	libjasper1-1.900.14-194.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12415	P	coreutils-8.25-13.7.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:12706	P	python3-requests-2.7.0-2.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:54736	P	Security update for fwupdate (Important)	2021-04-09
oval:org.opensuse.security:def:6465	P	Security update for openldap2 (Important)	2021-03-08
oval:org.opensuse.security:def:6440	P	Security update for the Linux Kernel (Important)	2020-12-10
oval:org.opensuse.security:def:13037	P	libopenvswitch-2_11-0-2.11.1-1.75 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13015	P	libldap-2_4-2-2.4.41-18.63.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:53827	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:38492	P	sysconfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52485	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:53331	P	Security update for bind (Moderate)	2020-12-01
oval:org.opensuse.security:def:53660	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:38095	P	xalan-j2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6498	P	radvd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55021	P	tcpdump on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37718	P	zoo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38521	P	xinetd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54628	P	libzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37706	P	xen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54227	P	kbd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38186	P	ft2demos on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53890	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:56626	P	Security update for ecryptfs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:38453	P	procmail on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53165	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:55065	P	bash on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53520	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:38038	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54940	P	libtirpc-netconfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39244	P	Security update for puppet (Moderate)	2020-12-01
oval:org.opensuse.security:def:37707	P	xf86-video-intel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38493	P	syslog-service on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53497	P	Security update for curl (Important)	2020-12-01
oval:org.opensuse.security:def:54343	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53989	P	kbd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38096	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53816	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:55350	P	perl-HTML-Parser on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6529	P	wireshark on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53059	P	Initial update for kernel-azure (Moderate)	2020-12-01
oval:org.opensuse.security:def:54957	P	libzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55359	P	puppet on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52486	P	Security update for MozillaThunderbird and mozilla-nspr (Important)	2020-12-01
oval:org.opensuse.security:def:37937	P	libpcre1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54902	P	libopus0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39202	P	libpcrecpp0-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38454	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54177	P	cvs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38404	P	libxmltooling6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53849	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:38039	P	python-PyYAML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39245	P	Security update for rubygem-puppet (Moderate)	2020-12-01
oval:org.opensuse.security:def:6516	P	tar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53826	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:52886	P	Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:54672	P	rsync on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37801	P	gnome-shell on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6365	P	libblkid1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54828	P	libX11-6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38564	P	cpio on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53724	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:54071	P	libtiff5-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38345	P	libpcre1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56371	P	Security update for puppet (Moderate)	2020-12-01
oval:org.opensuse.security:def:53498	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:37938	P	libpcsclite1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39203	P	libpcsclite1-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:6507	P	shim on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52648	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:54506	P	krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38405	P	libxslt-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54009	P	libXv1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:37717	P	yast2-users on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38520	P	xfsprogs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53616	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:37705	P	xdg-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53898	P	Security update for openconnect (Moderate)	2020-12-01
oval:org.opensuse.security:def:38185	P	freeradius-server on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56297	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:37802	P	gnome-shell-search-provider-nautilus on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55157	P	kernel-firmware on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38565	P	cpp48 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52508	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:54400	P	wget on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38346	P	libpcsclite1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53928	P	avahi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:56700	P	Security update for puppet (Moderate)	2020-12-01
oval:org.opensuse.security:def:79005	P	Security update for puppet (Moderate)	2018-03-01
oval:org.opensuse.security:def:79334	P	Security update for puppet (Moderate)	2018-03-01
oval:com.ubuntu.bionic:def:2017106890000000	V	CVE-2017-10689 on Ubuntu 18.04 LTS (bionic) - medium.	2018-02-09
oval:com.ubuntu.artful:def:201710689000	V	CVE-2017-10689 on Ubuntu 17.10 (artful) - medium.	2018-02-09
oval:com.ubuntu.xenial:def:201710689000	V	CVE-2017-10689 on Ubuntu 16.04 LTS (xenial) - medium.	2018-02-09
oval:com.ubuntu.xenial:def:2017106890000000	V	CVE-2017-10689 on Ubuntu 16.04 LTS (xenial) - medium.	2018-02-09
oval:com.ubuntu.bionic:def:201710689000	V	CVE-2017-10689 on Ubuntu 18.04 LTS (bionic) - medium.	2018-02-09
oval:com.ubuntu.cosmic:def:201710689000	V	CVE-2017-10689 on Ubuntu 18.10 (cosmic) - medium.	2018-02-09
oval:com.ubuntu.cosmic:def:2017106890000000	V	CVE-2017-10689 on Ubuntu 18.10 (cosmic) - medium.	2018-02-09
oval:com.ubuntu.trusty:def:201710689000	V	CVE-2017-10689 on Ubuntu 14.04 LTS (trusty) - medium.	2018-02-09

BACK