Input validation error in Puppet Agent and Puppet Enterprise - CVE-2013-2274
Published: March 20, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42981
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-2274
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Agent
Puppet Enterprise
Puppet Agent
Puppet Enterprise
Detailed vulnerability description
The vulnerability allows a remote #AU# to read and manipulate data.
Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
How to mitigate CVE-2013-2274
Install update from vendor's website.
Sources
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://rhn.redhat.com/errata/RHSA-2013-0710.html
- http://secunia.com/advisories/52596
- http://www.debian.org/security/2013/dsa-2643
- http://www.securityfocus.com/bid/58447
- https://puppetlabs.com/security/cve/cve-2013-2274/