CVE-2013-1640 — HIGH (9.0) — White Hats Nepal

Q: How severe is CVE-2013-1640?

CVE-2013-1640 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1640?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.

Vulnerability Description

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

CVSS Score

9.0

HIGH

AV:N/AC:L/Au:S/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Puppet	Puppet	< 2.6.18
Puppet	Puppet Enterprise	< 1.2.7
Canonical	Ubuntu Linux	11.10

References

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0710.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
https://puppetlabs.com/security/cve/cve-2013-1640/Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0710.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
https://puppetlabs.com/security/cve/cve-2013-1640/Vendor Advisory

FAQ

What is CVE-2013-1640?

CVE-2013-1640 is a vulnerability with a CVSS score of 9.0 (HIGH). The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 ...

How severe is CVE-2013-1640?

CVE-2013-1640 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1640?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.