| Name | CVE-2016-5713 |
| Description | Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| puppet (PTS) | jessie, jessie (lts) | 3.7.2-4+deb8u1 | fixed |
| stretch | 4.8.2-5 | fixed |
| buster | 5.5.10-4 | fixed |
| bullseye | 5.5.22-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| puppet | source | wheezy | (not affected) | | | |
| puppet | source | jessie | (not affected) | | | |
| puppet | source | (unstable) | 4.7.0-1 | | | |
Notes
[jessie] - puppet <not-affected> (Vulnerable code introduced later)
[wheezy] - puppet <not-affected> (Vulnerable code introduced later)
Puppet Agent 1.3.0 (puppet: 4.3.0) - 1.5.x affected
Resolved in Puppet Agent 1.6.0 (4.6.0)
https://puppet.com/security/cve/cve-2016-5713