Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5w5j-n4tf-pqc4
Vulnerability ID VCID-5w5j-n4tf-pqc4
Aliases CVE-2014-3248
GHSA-92v7-pq4h-58j5
Summary Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-17 DEPRECATED: Code
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00074 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-92v7-pq4h-58j5
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2014-3248
http://secunia.com/advisories/59197
http://secunia.com/advisories/59200
https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035
http://www.securityfocus.com/bid/68035
CVE-2014-3248 http://puppetlabs.com/security/cve/cve-2014-3248
CVE-2014-3248 https://nvd.nist.gov/vuln/detail/CVE-2014-3248
CVE-2014-3248 https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248
CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
CVE-2014-3248.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml
CVE-2014-3248.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml
CVE-2014-3248.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml
CVE-2014-3248.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml
GHSA-92v7-pq4h-58j5 https://github.com/advisories/GHSA-92v7-pq4h-58j5
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.22495
EPSS Score 0.00074
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:53:07.248945+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/puppet/CVE-2014-3248.yml 38.6.0