CVE-2013-4761

NameCVE-2013-4761
DescriptionUnspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2761-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)wheezy (security), wheezy2.7.23-1~deb7u3fixed
jessie3.7.2-4fixed
stretch, sid4.5.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)3.2.4-1low
puppetsourcewheezy2.7.23-1~deb7u1mediumDSA-2761-1

Notes

[squeeze] - puppet <no-dsa> (non-standard config and attacker requires local access to master)

Search for package or bug name: Reporting problems