CVE-2013-2274

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:P/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
puppetpuppet
2.6.0
puppetpuppet
2.6.1
puppetpuppet
2.6.2
puppetpuppet
2.6.3
puppetpuppet
2.6.4
puppetpuppet
2.6.5
puppetpuppet
2.6.6
puppetpuppet
2.6.7
puppetpuppet
2.6.8
puppetpuppet
2.6.9
puppetpuppet
2.6.10
puppetpuppet
2.6.11
puppetpuppet
2.6.12
puppetpuppet
2.6.13
puppetpuppet
2.6.14
puppetpuppet
2.6.15
puppetpuppet
2.6.16
puppetlabspuppet
2.6.17
puppetpuppet_enterprise
1.2.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
not-affected
hardy
ignored
References
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
http://rhn.redhat.com/errata/RHSA-2013-0710.html
http://secunia.com/advisories/52596
http://www.debian.org/security/2013/dsa-2643
http://www.securityfocus.com/bid/58447
https://puppetlabs.com/security/cve/cve-2013-2274/
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
http://rhn.redhat.com/errata/RHSA-2013-0710.html
http://secunia.com/advisories/52596
http://www.debian.org/security/2013/dsa-2643
http://www.securityfocus.com/bid/58447
https://puppetlabs.com/security/cve/cve-2013-2274/