CVE-2013-1640

2013-03-1200:00:00

ubuntu.com

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.024 Low

EPSS

Percentile

89.7%

JSON

The (1) template and (2) inline_template functions in the master server in
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and
Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote
authenticated users to execute arbitrary code via a crafted catalog
request.

Notes

Author	Note
mdeslaur	Upstream no longer supports 0.25.x as found in lucid. The code is substantially different, rendering a backport of this security update difficult. Since puppet in Lucid is almost end-of-life, we aren’t planning on backporting the security fix to it. For Lucid users, we recommend using puppet 2.7.1-1ubuntu3.8~ubuntu10.04.1 currently in lucid-backports.

OSVersionArchitecturePackageVersionFilename
ubuntu11.10noarchpuppet< 2.7.1-1ubuntu3.8UNKNOWN
ubuntu12.04noarchpuppet< 2.7.11-1ubuntu2.2UNKNOWN
ubuntu12.10noarchpuppet< 2.7.18-1ubuntu1.1UNKNOWN