CVE-2013-1652
MEDIUM severity · CVSS 4.9 · CWE-264
4.9CVSS MEDIUM
Summary
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors.
Impact & exploitability
Attack vectorNetwork
Attack complexity—
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impactNone
Exploit probability (EPSS)2%
AV:N/AC:M/Au:S/C:P/I:P/A:N
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://secunia.com/advisories/52596Advisory
- https://puppetlabs.com/security/cve/cve-2013-1652/Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlAdvisory
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlAdvisory
- http://rhn.redhat.com/errata/RHSA-2013-0710.htmlAdvisory
- http://ubuntu.com/usn/usn-1759-1Advisory
- http://www.debian.org/security/2013/dsa-2643Advisory
- http://www.securityfocus.com/bid/58443Advisory