Vulnerability Description
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet | 2.7.2 |
| Puppetlabs | Puppet | 2.7.0 |
| Puppet | Puppet Enterprise | 3.1.0 |
| Canonical | Ubuntu Linux | 11.10 |
References
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://rhn.redhat.com/errata/RHSA-2013-0710.html
- http://secunia.com/advisories/52596Vendor Advisory
- http://ubuntu.com/usn/usn-1759-1
- http://www.debian.org/security/2013/dsa-2643
- http://www.securityfocus.com/bid/64758
- https://puppetlabs.com/security/cve/cve-2013-1654/Vendor Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://rhn.redhat.com/errata/RHSA-2013-0710.html
- http://secunia.com/advisories/52596Vendor Advisory
- http://ubuntu.com/usn/usn-1759-1
- http://www.debian.org/security/2013/dsa-2643
- http://www.securityfocus.com/bid/64758
FAQ
What is CVE-2013-1654?
CVE-2013-1654 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to co...
How severe is CVE-2013-1654?
CVE-2013-1654 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-1654?
Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppetlabs Puppet, Puppet Puppet Enterprise, Canonical Ubuntu Linux.