CVE-2013-4761

NameCVE-2013-4761
DescriptionUnspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2761-1
NVD severitymedium (attack range: remote)
Debian/oldoldstablepackage puppet is vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)squeeze, squeeze (security)2.6.2-5+squeeze9vulnerable
squeeze (lts)2.6.2-5+squeeze10vulnerable
wheezy, wheezy (security)2.7.23-1~deb7u3fixed
stretch, sid, jessie3.7.2-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)3.2.4-1low
puppetsourcewheezy2.7.23-1~deb7u1mediumDSA-2761-1

Notes

[squeeze] - puppet <no-dsa> (non-standard config and attacker requires local access to master)

Search for package or bug name: Reporting problems