Lucene search

[email protected]CVE-2013-1653

HistoryMar 20, 2013 - 4:55 p.m.

CVE-2013-1653

2013-03-2016:55:01

[email protected]

web.nvd.nist.gov

puppet

cve-2013-1653

remote code execution

information security

vulnerability

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:S/C:C/I:C/A:C

7.2 High

AI Score

Confidence

Low

0.014 Low

EPSS

Percentile

86.7%

JSON

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the “run” REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request.

Affected configurations

NVD

Node

puppetpuppetRange2.6.0–2.6.17

Node

puppetpuppetMatch2.7.2

puppetpuppetMatch2.7.3

puppetpuppetMatch2.7.4

puppetpuppetMatch2.7.5

puppetpuppetMatch2.7.6

puppetpuppetMatch2.7.7

puppetpuppetMatch2.7.8

puppetpuppetMatch2.7.9

puppetpuppetMatch2.7.10

puppetpuppetMatch2.7.11

puppetpuppetMatch2.7.12

puppetpuppetMatch2.7.13

puppetpuppetMatch2.7.14

puppetpuppetMatch2.7.16

puppetpuppetMatch2.7.17

puppetpuppetMatch2.7.18

puppetlabspuppetMatch2.7.0

puppetlabspuppetMatch2.7.1

puppetlabspuppetMatch2.7.19

puppetlabspuppetMatch2.7.20

puppetlabspuppetMatch2.7.20rc1

Node

puppetpuppet_enterpriseMatch3.1.0

Node

puppetlabspuppetMatch1.0enterprise

puppetlabspuppetMatch1.1enterprise

puppetlabspuppetMatch1.2.0enterprise

puppetlabspuppetMatch1.2.1enterprise

puppetlabspuppetMatch1.2.2enterprise

puppetlabspuppetMatch1.2.3enterprise

puppetlabspuppetMatch1.2.4enterprise

puppetlabspuppetMatch1.2.5enterprise

puppetlabspuppetMatch1.2.6enterprise

Node

puppetpuppet_enterpriseMatch2.7.0

puppetpuppet_enterpriseMatch2.7.1

Node

canonicalubuntu_linuxMatch11.10

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch12.10

CPENameOperatorVersion
puppet:puppetpuppetle2.6.17

CPE	Name	Operator	Version
puppet:puppet	puppet	le	2.6.17

References

lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html

lists.opensuse.org/opensuse-updates/2013-04/msg00056.html

secunia.com/advisories/52596

ubuntu.com/usn/usn-1759-1

www.debian.org/security/2013/dsa-2643

www.securityfocus.com/bid/58446

puppetlabs.com/security/cve/cve-2013-1653/

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:S/C:C/I:C/A:C

7.2 High

AI Score

Confidence

Low

0.014 Low

EPSS

Percentile

86.7%

JSON

Related for CVE-2013-1653

nvd1 debiancve1 ubuntucve1 cvelist1 prion1 securityvulns2 openvas10 nessus8 ubuntu1 fedora2 freebsd1 suse1 debian1 osv1 gentoo1