CVE-2013-1652 — MEDIUM (4.9)

Q: How severe is CVE-2013-1652?

CVE-2013-1652 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1652?

Check the references section above for vendor advisories and patch information. Affected products include: Puppetlabs Puppet, Puppet Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.

Vulnerability Description

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors.

CVSS Score

4.9

MEDIUM

AV:N/AC:M/Au:S/C:P/I:P/A:N

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Puppetlabs	Puppet	<= 2.6.17
Puppet	Puppet	2.7.2
Puppet	Puppet Enterprise	3.1.0
Canonical	Ubuntu Linux	11.10

Related Weaknesses (CWE)

CWE-264

References

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0710.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party AdvisoryVendor Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
http://www.securityfocus.com/bid/58443Third Party AdvisoryVDB Entry
https://puppetlabs.com/security/cve/cve-2013-1652/Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0710.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party AdvisoryVendor Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
http://www.securityfocus.com/bid/58443Third Party AdvisoryVDB Entry

FAQ

What is CVE-2013-1652?

CVE-2013-1652 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key ...

How severe is CVE-2013-1652?

CVE-2013-1652 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1652?

Check the references section above for vendor advisories and patch information. Affected products include: Puppetlabs Puppet, Puppet Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.