CVE-2013-2274

NameCVE-2013-2274
DescriptionPuppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2643-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)wheezy (security), wheezy2.7.23-1~deb7u3fixed
jessie3.7.2-4fixed
stretch, sid3.8.5-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)2.7-1medium
puppetsourcesqueeze2.6.2-5+squeeze7mediumDSA-2643-1

Notes

Only affects puppet 2.6.x

Search for package or bug name: Reporting problems