CVE-2013-1653 — HIGH (7.1) — White Hats Nepal

Q: How severe is CVE-2013-1653?

CVE-2013-1653 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1653?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppetlabs Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.

Vulnerability Description

Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request.

CVSS Score

7.1

HIGH

AV:N/AC:H/Au:S/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Puppet	Puppet	>= 2.6.0, <= 2.6.17
Puppetlabs	Puppet	2.7.0
Puppet	Puppet Enterprise	3.1.0
Canonical	Ubuntu Linux	11.10

References

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
http://www.securityfocus.com/bid/58446Third Party AdvisoryVDB Entry
https://puppetlabs.com/security/cve/cve-2013-1653/Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.htmlThird Party Advisory
http://secunia.com/advisories/52596Third Party Advisory
http://ubuntu.com/usn/usn-1759-1Third Party Advisory
http://www.debian.org/security/2013/dsa-2643Third Party Advisory
http://www.securityfocus.com/bid/58446Third Party AdvisoryVDB Entry
https://puppetlabs.com/security/cve/cve-2013-1653/Vendor Advisory

FAQ

What is CVE-2013-1653?

CVE-2013-1653 is a vulnerability with a CVSS score of 7.1 (HIGH). Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to ...

How severe is CVE-2013-1653?

CVE-2013-1653 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1653?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppetlabs Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.