Input validation error in Puppet Agent and Puppet Enterprise - CVE-2013-4761
Published: August 21, 2013 / Updated: August 10, 2020
Vulnerability identifier: #VU42642
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2013-4761
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Agent
Puppet Enterprise
Puppet Agent
Puppet Enterprise
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
How to mitigate CVE-2013-4761
Install update from vendor's website.