Release date:
Updated on: 2013-08-21
Affected Systems:
Puppet Labs Puppet Enterprise 3.x
Unaffected system:
Puppet Labs Puppet Enterprise 3.0.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 61860
CVE (CAN) ID: CVE-2013-4968
Puppet is an IT automation software that helps the system administrator manage the infrastructure.
The click hijacking vulnerability in Puppet Enterprise 3.0.1 allows attackers to trick users into Clicking buttons or links on the transparent or non-transparent layers instead of the links they want to click to obtain sensitive information such as user passwords, execute any code or other unauthorized operations.
<* Source: Puppet Labs
Link: http://www.securelist.com/en/advisories/54552
Http://puppetlabs.com/security/cve/cve-2013-4968
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Puppet Labs
-----------
Puppet Labs has released a Security Bulletin (cve-2013-4968) and patches for this:
Cve-2013-4968: CVE-2013-4968 (Site Lacked Clickjacking Defense)
Link: http://puppetlabs.com/security/cve/cve-2013-4968
For more information about Puppet, click here.
Puppet: click here
Puppet Learning Series:
Puppet Learning 1: Installation and simple instance applications
Puppet 2: simple module configuration and application