CVE-2013-2274

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.

CVSS v2.0 6.5 MEDIUM

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/52596	Vendor Advisory
http://www.debian.org/security/2013/dsa-2643
https://puppetlabs.com/security/cve/cve-2013-2274/	Vendor Advisory
http://www.securityfocus.com/bid/58447
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
http://rhn.redhat.com/errata/RHSA-2013-0710.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puppet:puppet:2.6.14:::::::*
	cpe:2.3:a:puppet:puppet:2.6.12:::::::*
	cpe:2.3:a:puppet:puppet:2.6.1:::::::*
	cpe:2.3:a:puppet:puppet:2.6.8:::::::*
	cpe:2.3:a:puppet:puppet:2.6.0:::::::*
	cpe:2.3:a:puppet:puppet:2.6.15:::::::*
	cpe:2.3:a:puppet:puppet:2.6.11:::::::*
	cpe:2.3:a:puppet:puppet:2.6.10:::::::*
	cpe:2.3:a:puppet:puppet:2.6.5:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.6.17:::::::*
	cpe:2.3:a:puppet:puppet:2.6.16:::::::*
	cpe:2.3:a:puppet:puppet:2.6.2:::::::*
	cpe:2.3:a:puppet:puppet:2.6.3:::::::*
	cpe:2.3:a:puppet:puppet:2.6.4:::::::*
	cpe:2.3:a:puppet:puppet:2.6.6:::::::*
	cpe:2.3:a:puppet:puppet:2.6.7:::::::*
	cpe:2.3:a:puppet:puppet:2.6.9:::::::*
	cpe:2.3:a:puppet:puppet:2.6.13:::::::*

Configuration 2 (hide)

cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

Information

Published : 2013-03-20 09:55

Updated : 2019-07-10 11:02

NVD link : CVE-2013-2274

Mitre link : CVE-2013-2274

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

puppet

puppet_enterprise
puppet

puppetlabs

puppet

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://secunia.com/advisories/52596", "name": "52596", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://www.debian.org/security/2013/dsa-2643", "name": "DSA-2643", "tags": [], "refsource": "DEBIAN"}, {"url": "https://puppetlabs.com/security/cve/cve-2013-2274/", "name": "https://puppetlabs.com/security/cve/cve-2013-2274/", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/bid/58447", "name": "58447", "tags": [], "refsource": "BID"}, {"url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html", "name": "openSUSE-SU-2013:0641", "tags": [], "refsource": "SUSE"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html", "name": "SUSE-SU-2013:0618", "tags": [], "refsource": "SUSE"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html", "name": "RHSA-2013:0710", "tags": [], "refsource": "REDHAT"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-2274", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-03-20T16:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppetlabs:puppet:2.6.17:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.16:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-07-10T18:02Z"}

6.5 /10