CVE-2013-2274 - OpenCVE

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Puppetlabs	Puppet
Puppet	Puppet Puppet Enterprise

Configuration 1 [-]

OR	cpe:2.3:a:puppet:puppet:2.6.0:::::::*
	cpe:2.3:a:puppet:puppet:2.6.1:::::::*
	cpe:2.3:a:puppet:puppet:2.6.2:::::::*
	cpe:2.3:a:puppet:puppet:2.6.3:::::::*
	cpe:2.3:a:puppet:puppet:2.6.4:::::::*
	cpe:2.3:a:puppet:puppet:2.6.5:::::::*
	cpe:2.3:a:puppet:puppet:2.6.6:::::::*
	cpe:2.3:a:puppet:puppet:2.6.7:::::::*
	cpe:2.3:a:puppet:puppet:2.6.8:::::::*
	cpe:2.3:a:puppet:puppet:2.6.9:::::::*
	cpe:2.3:a:puppet:puppet:2.6.10:::::::*
	cpe:2.3:a:puppet:puppet:2.6.11:::::::*
	cpe:2.3:a:puppet:puppet:2.6.12:::::::*
	cpe:2.3:a:puppet:puppet:2.6.13:::::::*
	cpe:2.3:a:puppet:puppet:2.6.14:::::::*
	cpe:2.3:a:puppet:puppet:2.6.15:::::::*
	cpe:2.3:a:puppet:puppet:2.6.16:::::::*
	cpe:2.3:a:puppetlabs:puppet:2.6.17:::::::*

Configuration 2 [-]

cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
http://rhn.redhat.com/errata/RHSA-2013-0710.html
http://secunia.com/advisories/52596	Vendor Advisory
http://www.debian.org/security/2013/dsa-2643
http://www.securityfocus.com/bid/58447
https://puppetlabs.com/security/cve/cve-2013-2274/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2013-03-20T16:00:00

Updated: 2013-04-11T09:00:00

Reserved: 2013-02-26T00:00:00

Link: CVE-2013-2274

JSON object: View

NVD Information

Status : Modified

Published: 2013-03-20T16:55:01.827

Modified: 2019-07-10T18:02:15.030

Link: CVE-2013-2274

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-04-11T09:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SUSE-SU-2013:0618", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"name": "RHSA-2013:0710", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"name": "DSA-2643", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2643"}, {"name": "58447", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/58447"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://puppetlabs.com/security/cve/cve-2013-2274/"}, {"name": "52596", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52596"}, {"name": "openSUSE-SU-2013:0641", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-2274", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SU-2013:0618", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"name": "RHSA-2013:0710", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"name": "DSA-2643", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2643"}, {"name": "58447", "refsource": "BID", "url": "http://www.securityfocus.com/bid/58447"}, {"name": "https://puppetlabs.com/security/cve/cve-2013-2274/", "refsource": "CONFIRM", "url": "https://puppetlabs.com/security/cve/cve-2013-2274/"}, {"name": "52596", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/52596"}, {"name": "openSUSE-SU-2013:0641", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-2274", "datePublished": "2013-03-20T16:00:00", "dateReserved": "2013-02-26T00:00:00", "dateUpdated": "2013-04-11T09:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet:2.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "9BEF50EE-4E4B-4641-BA34-B5024F1EF683", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.1:*:*:*:*:*:*:*", "matchCriteriaId": "1CC72248-FD33-4CA0-A16E-0A174A864257", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "7CEFB16E-261F-4B81-BCBE-536CAD2EC44B", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.3:*:*:*:*:*:*:*", "matchCriteriaId": "652D28FC-7133-4C5F-95D9-3468548465B5", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "AEEEE59D-BC0E-4107-B55D-9B182825E557", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "B4ED400E-48F7-475B-A87C-A14EC63DD93D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.6:*:*:*:*:*:*:*", "matchCriteriaId": "D827D4C2-7438-4EDD-9025-38D46CD5153C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.7:*:*:*:*:*:*:*", "matchCriteriaId": "E73C341A-6C07-4820-B1D3-4616B634F380", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.8:*:*:*:*:*:*:*", "matchCriteriaId": "61381D4C-972F-4979-84D2-793E4C60E23E", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.9:*:*:*:*:*:*:*", "matchCriteriaId": "7D8C2A71-0277-4426-8627-D6FD275EFC62", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.10:*:*:*:*:*:*:*", "matchCriteriaId": "3FB3C44C-2C6C-496C-9D2E-C43FFB493C42", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.11:*:*:*:*:*:*:*", "matchCriteriaId": "AD2656B0-9606-477B-BEB3-35746218BF9C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.12:*:*:*:*:*:*:*", "matchCriteriaId": "848F82FB-ACCE-42C0-A208-55522A030835", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.13:*:*:*:*:*:*:*", "matchCriteriaId": "B0BBFAA7-BB3F-49D2-975B-01194C66D7C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.14:*:*:*:*:*:*:*", "matchCriteriaId": "515BBBBF-7F42-490E-BF9D-B01AA3DD61C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.15:*:*:*:*:*:*:*", "matchCriteriaId": "31C87FE4-D9E8-4619-9ADB-DFC2D3FE4FB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.6.16:*:*:*:*:*:*:*", "matchCriteriaId": "04B6142C-AFC5-4045-8FA1-C07F2BEF487C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.6.17:*:*:*:*:*:*:*", "matchCriteriaId": "0AED05EE-5038-4F3E-B4C2-4926CAE4A9BE", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0A584D14-197E-47EB-B394-B8B211D4B502", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report."}, {"lang": "es", "value": "Puppet v2.6.x anterior a v2.6.18 y Puppet Enterprise v1.2.x anterior a v1.2.7 permite a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario en el puppet master, o un agente con puppet kick habilitado, mediante una petici\u00f3n espcialmente dies\u00f1ada para un report."}], "id": "CVE-2013-2274", "lastModified": "2019-07-10T18:02:15.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-03-20T16:55:01.827", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52596"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2013/dsa-2643"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/58447"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://puppetlabs.com/security/cve/cve-2013-2274/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}