CVE-2013-1653
HIGH severity · CVSS 7.1
7.1CVSS HIGH
Summary
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)5%
AV:N/AC:H/Au:S/C:C/I:C/A:C
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://puppetlabs.com/security/cve/cve-2013-1653/Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlAdvisory
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlAdvisory
- http://secunia.com/advisories/52596Advisory
- http://ubuntu.com/usn/usn-1759-1Advisory
- http://www.debian.org/security/2013/dsa-2643Advisory
- http://www.securityfocus.com/bid/58446Advisory