Vulnerability Details : CVE-2013-1653
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, when listening for incoming connections is enabled and allowing access to the "run" REST endpoint is allowed, allows remote authenticated users to execute arbitrary code via a crafted HTTP request.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2013-1653
Probability of exploitation activity in the next 30 days: 1.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 85 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-1653
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:H/Au:S/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
References for CVE-2013-1653
-
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
[security-announce] SUSE-SU-2013:0618-1: important: Security update forThird Party Advisory
-
http://www.securityfocus.com/bid/58446
Puppet CVE-2013-1653 Arbitrary Code Execution VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
openSUSE-SU-2013:0641-1: moderate: puppet: security fixesThird Party Advisory
-
http://ubuntu.com/usn/usn-1759-1
USN-1759-1: Puppet vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://puppetlabs.com/security/cve/cve-2013-1653/
CVE-2013-1653 | PuppetVendor Advisory
-
http://www.debian.org/security/2013/dsa-2643
Debian -- Security Information -- DSA-2643-1 puppetThird Party Advisory
Products affected by CVE-2013-1653
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.17:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet:2.7.18:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppet:puppet_enterprise:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.19:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.20:*:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:2.7.20:rc1:*:*:*:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.3:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.4:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.5:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.6:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.1:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.2.2:*:*:*:enterprise:*:*:*
- cpe:2.3:a:puppetlabs:puppet:1.0:*:*:*:enterprise:*:*:*