Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-7ypq-wmb7-quhc
Vulnerability ID VCID-7ypq-wmb7-quhc
Aliases CVE-2014-3248
GHSA-92v7-pq4h-58j5
Summary Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so in puppet/confine.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-17 DEPRECATED: Code
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
System Score Found at
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2014-3248
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-92v7-pq4h-58j5
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml
cvssv2 6.2 https://nvd.nist.gov/vuln/detail/CVE-2014-3248
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-3248
generic_textual MODERATE https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035
generic_textual MODERATE https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet
generic_textual MODERATE https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-3248.json
https://api.first.org/data/v1/epss?cve=CVE-2014-3248
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3248
http://secunia.com/advisories/59197
http://secunia.com/advisories/59200
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/facter/CVE-2014-3248.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/hiera/CVE-2014-3248.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mcollective-client/CVE-2014-3248.yml
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2014-3248.yml
https://web.archive.org/web/20141129061319/http://www.securityfocus.com/bid/68035
https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet
https://web.archive.org/web/20150907182402/http://puppetlabs.com/security/cve/cve-2014-3248
http://www.securityfocus.com/bid/68035
1101346 https://bugzilla.redhat.com/show_bug.cgi?id=1101346
cpe:2.3:a:puppet:facter:2.0.0:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.0:rc4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:-:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.1:-:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.1:rc1:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.1:rc2:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.1:rc3:*:*:*:*:*:*
cpe:2.3:a:puppet:facter:2.0.1:rc4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:facter:2.0.1:rc4:*:*:*:*:*:*
cpe:2.3:a:puppet:hiera:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:hiera:*:*:*:*:*:*:*:*
cpe:2.3:a:puppetlabs:facter:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppetlabs:facter:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:marionette_collective:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:marionette_collective:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
CVE-2014-3248 http://puppetlabs.com/security/cve/cve-2014-3248
CVE-2014-3248 https://nvd.nist.gov/vuln/detail/CVE-2014-3248
CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
CVE-2014-3248-A-LITTLE-PROBLEM-WITH-PUPPET https://web.archive.org/web/20150204183209/http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/
GHSA-92v7-pq4h-58j5 https://github.com/advisories/GHSA-92v7-pq4h-58j5
GLSA-201412-15 https://security.gentoo.org/glsa/201412-15
GLSA-201412-45 https://security.gentoo.org/glsa/201412-45
USN-3308-1 https://usn.ubuntu.com/3308-1/
No exploits are available.
Vector: AV:L/AC:H/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2014-3248
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.37243
EPSS Score 0.00164
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:47:25.192995+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/puppet/CVE-2014-3248.yml 38.0.0