CVE-2013-1640

2013-03-2016:55:00

NVD-CWE-noinfo

[email protected]

web.nvd.nist.gov

puppet

cve-2013-1640

security

remote code execution

catalog request

6.8 Medium

AI Score

Confidence

Low

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.024 Low

EPSS

Percentile

89.7%

JSON

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

CPENameOperatorVersion
puppet:puppetpuppetlt2.6.18
puppet:puppetpuppetlt2.7.21
puppet:puppetpuppeteq3.1.0
puppet:puppet_enterprisepuppet puppet enterpriselt1.2.7
puppet:puppet_enterprisepuppet puppet enterpriseeq2.7.0
puppet:puppet_enterprisepuppet puppet enterpriseeq2.7.1
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq11.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq12.10

CPE	Name	Operator	Version
puppet:puppet	puppet	lt	2.6.18
puppet:puppet	puppet	lt	2.7.21
puppet:puppet	puppet	eq	3.1.0
puppet:puppet_enterprise	puppet puppet enterprise	lt	1.2.7
puppet:puppet_enterprise	puppet puppet enterprise	eq	2.7.0
puppet:puppet_enterprise	puppet puppet enterprise	eq	2.7.1
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	11.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	12.10