CVE-2013-1640
HIGH severity · CVSS 9
9CVSS HIGH
Summary
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)5%
AV:N/AC:L/Au:S/C:C/I:C/A:C
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://puppetlabs.com/security/cve/cve-2013-1640/Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlAdvisory
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlAdvisory
- http://rhn.redhat.com/errata/RHSA-2013-0710.htmlAdvisory
- http://secunia.com/advisories/52596Advisory
- http://ubuntu.com/usn/usn-1759-1Advisory
- http://www.debian.org/security/2013/dsa-2643Advisory