CVE-2013-4761

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.

CVSS v2.0 5.1 MEDIUM

5.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://puppetlabs.com/security/cve/cve-2013-4761/	Vendor Advisory
http://www.debian.org/security/2013/dsa-2761
http://rhn.redhat.com/errata/RHSA-2013-1284.html
http://rhn.redhat.com/errata/RHSA-2013-1283.html
http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:puppetlabs:puppet:3.2.0:::::::*
	cpe:2.3:a:puppet:puppet:3.2.1:::::::*
	cpe:2.3:a:puppet:puppet:3.2.2:::::::*
	cpe:2.3:a:puppet:puppet:3.2.3:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:puppet:puppet:2.7.2:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.7.1:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.7.0:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:puppet:puppet_enterprise:3.0.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2.8.2:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2.8.0:::::::*
	cpe:2.3:a:puppet:puppet_enterprise:2.8.1:::::::*

Information

Published : 2013-08-20 15:55

Updated : 2019-07-10 11:10

NVD link : CVE-2013-4761

Mitre link : CVE-2013-4761

JSON object : View

CWE

NVD-CWE-noinfo

Advertisement

Products Affected

puppet

puppet_enterprise
puppet

puppetlabs

puppet

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://puppetlabs.com/security/cve/cve-2013-4761/", "name": "http://puppetlabs.com/security/cve/cve-2013-4761/", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://www.debian.org/security/2013/dsa-2761", "name": "DSA-2761", "tags": [], "refsource": "DEBIAN"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1284.html", "name": "RHSA-2013:1284", "tags": [], "refsource": "REDHAT"}, {"url": "http://rhn.redhat.com/errata/RHSA-2013-1283.html", "name": "RHSA-2013:1283", "tags": [], "refsource": "REDHAT"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html", "name": "SUSE-SU-2014:0155", "tags": [], "refsource": "SUSE"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified \"local file system access\" to the Puppet Master."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2013-4761", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2013-08-20T22:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:puppetlabs:puppet:3.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:3.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:3.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet:3.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:3.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:2.8.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:2.8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:puppet:puppet_enterprise:2.8.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2019-07-10T18:10Z"}