Vulnerability Details : CVE-2013-1640
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.
Vulnerability category: Execute code
Products affected by CVE-2013-1640
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.7.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-1640
3.92%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-1640
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST |
References for CVE-2013-1640
-
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
[security-announce] SUSE-SU-2013:0618-1: important: Security update forThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0710.html
RHSA-2013:0710 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
openSUSE-SU-2013:0641-1: moderate: puppet: security fixesThird Party Advisory
-
http://ubuntu.com/usn/usn-1759-1
USN-1759-1: Puppet vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://puppetlabs.com/security/cve/cve-2013-1640/
CVE-2013-1640 | PuppetVendor Advisory
-
http://www.debian.org/security/2013/dsa-2643
Debian -- Security Information -- DSA-2643-1 puppetThird Party Advisory
Jump to