Skip to main content

Puppet CVE-2013-1640

CRITICAL
2013-03-20 cve@mitre.org
9.0
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:L/Au:S/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:N/AC:L/Au:S/C:C/I:C/A:C
Attack Vector
Network
Attack Complexity
Low
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

1
CVE Published
Mar 20, 2013 - 16:55 cve.org
CRITICAL 9.0

DescriptionCVE.org

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

AnalysisAI

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. Affected products include: Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux. Version information: before 2.6.18.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Puppet

View all
CVE-2014-3248 MEDIUM POC
6.2 Nov 16

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Fa

CVE-2016-2785 CRITICAL
9.8 Jun 10

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow

CVE-2021-27021 HIGH
8.8 Jul 20

A flaw was discovered in Puppet DB, this flaw results in an escalation of privileges which allows the user to delete tab

CVE-2018-6513 HIGH
8.8 Jun 11

Puppet Enterprise 2016.4.x prior to 2016.4.12, Puppet Enterprise 2017.3.x prior to 2017.3.7, Puppet Enterprise 2018.1.x

CVE-2013-3567 HIGH
7.5 Aug 19

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, whic

CVE-2013-1398 HIGH
8.5 Mar 14

The pe_mcollective module in Puppet Enterprise (PE) before 2.7.1 does not properly restrict access to a catalog of priva

CVE-2012-3867 MEDIUM POC
4.3 Aug 06

lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.

CVE-2017-2295 HIGH
8.2 Jul 05

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with

CVE-2012-3864 MEDIUM POC
4.0 Aug 06

Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, allows remote authenticated users to r

CVE-2018-6515 HIGH
7.8 Jun 11

Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, and Puppet Agent 5.5.x prior to 5.5.2 on Window

CVE-2018-6514 HIGH
7.8 Jun 11

In Puppet Agent 1.10.x prior to 1.10.13, Puppet Agent 5.3.x prior to 5.3.7, Puppet Agent 5.5.x prior to 5.5.2, Facter on

CVE-2012-3865 LOW POC
3.5 Aug 06

Directory traversal vulnerability in lib/puppet/reports/store.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Pu

Share

CVE-2013-1640 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy