CVE-2016-5713

EUVD-2016-6652
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
puppetpuppet_agent
1.3.0 ≤
𝑥
< 1.6.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
jessie
not-affected
wheezy
not-affected
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puppet
artful
not-affected
trusty
not-affected
xenial
not-affected
zesty
ignored
Common Weakness Enumeration
References
https://puppet.com/security/cve/cve-2016-5713
https://puppet.com/security/cve/cve-2016-5713