CVE-2013-2274

NameCVE-2013-2274
DescriptionPuppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2643-1
NVD severitymedium (attack range: remote)
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)squeeze (security), squeeze2.6.2-5+squeeze9fixed
squeeze (lts)2.6.2-5+squeeze10fixed
wheezy, wheezy (security)2.7.23-1~deb7u3fixed
sid, jessie3.7.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)2.7-1medium
puppetsourcesqueeze2.6.2-5+squeeze7mediumDSA-2643-1

Notes

Only affects puppet 2.6.x

Search for package or bug name: Reporting problems