CVE-2016-5713

NameCVE-2016-5713
DescriptionVersions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie (security), jessie3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
bullseye, sid, buster5.5.10-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsource(unstable)4.7.0-1high
puppetsourcejessie(not affected)
puppetsourcewheezy(not affected)

Notes

[jessie] - puppet <not-affected> (Vulnerable code introduced later)
[wheezy] - puppet <not-affected> (Vulnerable code introduced later)
Puppet Agent 1.3.0 (puppet: 4.3.0) - 1.5.x affected
Resolved in Puppet Agent 1.6.0 (4.6.0)
https://puppet.com/security/cve/cve-2016-5713

Search for package or bug name: Reporting problems