CVE-2013-2274

NameCVE-2013-2274
DescriptionPuppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2643-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)jessie, jessie (lts)3.7.2-4+deb8u1fixed
stretch4.8.2-5fixed
buster5.5.10-4fixed
bullseye5.5.22-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsourcesqueeze2.6.2-5+squeeze7DSA-2643-1
puppetsource(unstable)2.7-1

Notes

Only affects puppet 2.6.x

Search for package or bug name: Reporting problems