GHSA-vw22-465p-8j5w

Suggest an improvement
Source
https://github.com/advisories/GHSA-vw22-465p-8j5w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vw22-465p-8j5w/GHSA-vw22-465p-8j5w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vw22-465p-8j5w
Aliases
Published
2022-05-13T01:41:57Z
Modified
2024-02-20T05:32:16.784114Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Tarball permission preservation in puppet
Details

When installing a module using the system tar, the PMT will filter filesystem permissions to a sane value. This may just be based on the user's umask.

When using minitar, files are unpacked with whatever permissions are in the tarball. This is potentially unsafe, as tarballs can be easily created with weird permissions.

Database specific
{
    "nvd_published_at": "2018-02-09T20:29:00Z",
    "cwe_ids": [
        "CWE-269"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-21T22:29:32Z"
}
References

Affected packages

RubyGems / puppet

Package

Name
puppet
Purl
pkg:gem/puppet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.10.10

Affected versions

0.*

0.9.2
0.13.0
0.13.1
0.13.2
0.13.6
0.16.0
0.18.4
0.22.4
0.23.0
0.23.1
0.23.2
0.24.0
0.24.1
0.24.2
0.24.3
0.24.4
0.24.5
0.24.6
0.24.7
0.24.8
0.24.9
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.25.5

2.*

2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.6.18
2.7.1
2.7.3
2.7.4
2.7.5
2.7.6
2.7.8
2.7.9
2.7.11
2.7.12
2.7.13
2.7.14
2.7.16
2.7.17
2.7.18
2.7.19
2.7.20.rc1
2.7.20
2.7.21
2.7.22
2.7.23
2.7.24
2.7.25
2.7.26

3.*

3.0.0.rc4
3.0.0.rc5
3.0.0.rc7
3.0.0.rc8
3.0.0
3.0.1.rc1
3.0.1
3.0.2.rc1
3.0.2.rc2
3.0.2.rc3
3.0.2
3.1.0.rc1
3.1.0.rc2
3.1.0
3.1.1
3.2.0.rc1
3.2.0.rc2
3.2.1.rc1
3.2.1
3.2.2
3.2.3.rc1
3.2.3
3.2.4
3.3.0.rc2
3.3.0.rc3
3.3.0
3.3.1.rc1
3.3.1.rc2
3.3.1.rc3
3.3.1
3.3.2
3.4.0.rc1
3.4.0.rc2
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0.rc1
3.5.0.rc2
3.5.0.rc3
3.5.1.rc1
3.5.1
3.6.0.rc1
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7

4.*

4.0.0.rc1
4.0.0
4.1.0
4.2.0
4.2.1
4.2.2
4.2.3
4.3.0
4.3.1
4.3.2
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.5.2
4.5.3
4.6.1
4.6.2
4.7.0
4.7.1
4.8.0
4.8.1
4.8.2
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.10.0
4.10.1
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.10.9

RubyGems / puppet

Package

Name
puppet
Purl
pkg:gem/puppet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.3.4

Affected versions

5.*

5.0.0
5.0.1
5.1.0
5.2.0
5.3.1
5.3.2
5.3.3