{"id":"USN-3308-1","summary":"puppet vulnerabilities","details":"Dennis Rowe discovered that Puppet incorrectly handled the search path. A\nlocal attacker could use this issue to possibly execute arbitrary code.\n(CVE-2014-3248)\n\nIt was discovered that Puppet incorrectly handled YAML deserialization. A\nremote attacker could possibly use this issue to execute arbitrary code on\nthe master. This update is incompatible with agents older than 3.2.2.\n(CVE-2017-2295)\n","modified":"2026-02-10T04:41:08Z","published":"2017-06-05T16:28:41Z","related":["UBUNTU-CVE-2014-3248","UBUNTU-CVE-2017-2295"],"upstream":["CVE-2014-3248","CVE-2017-2295","UBUNTU-CVE-2014-3248","UBUNTU-CVE-2017-2295"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3308-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-3248"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-2295"}],"affected":[{"package":{"name":"puppet","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/puppet@3.4.3-1ubuntu1.2?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.3-1ubuntu1.2"}]}],"versions":["3.2.4-2ubuntu2","3.3.1-1ubuntu1","3.3.1-1ubuntu2","3.3.1-1ubuntu3","3.4.2-1","3.4.3-1","3.4.3-1ubuntu1","3.4.3-1ubuntu1.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppet"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppet-common"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppet-el"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppet-testsuite"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppetmaster"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppetmaster-common"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"puppetmaster-passenger"},{"binary_version":"3.4.3-1ubuntu1.2","binary_name":"vim-puppet"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:14.04:LTS","cves":[{"id":"CVE-2014-3248","severity":[{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2017-2295","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3308-1.json"}}],"schema_version":"1.7.3"}