CVE-2013-1640Deserialization of Untrusted Data in Puppet

CWE-502Deserialization of Untrusted Data10 documents8 sources
Severity
9.0CRITICALNVD
EPSS
1.9%
top 16.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PuppetPuppet EnterpriseCanonical Ubuntu Linux
Timeline
PublishedMar 20
Latest updateMay 13

Description

The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages3 packages

NVDpuppet/puppet2.7.02.7.21+2
Debianpuppet/puppet< 2.7.18-3

Also affects: Ubuntu Linux 11.10, 12.04, 12.10

🔴Vulnerability Details

3
GHSA
GHSA-86qh-qpc6-jff7: The (1) template and (2) inline_template functions in the master server in Puppet before 22022-05-13
CVEList
CVE-2013-1640: The (1) template and (2) inline_template functions in the master server in Puppet before 22013-03-20
OSV
CVE-2013-1640: The (1) template and (2) inline_template functions in the master server in Puppet before 22013-03-20

📋Vendor Advisories

3
Ubuntu
Puppet vulnerabilities2013-03-12
Red Hat
Puppet: catalog request code execution2013-03-12
Debian
CVE-2013-1640: puppet - The (1) template and (2) inline_template functions in the master server in Puppe...2013

💬Community

3
Bugzilla
CVE-2013-1640 CVE-2013-1652 CVE-2013-1654 CVE-2013-2274 CVE-2013-2275 puppet various flaws [epel-all]2013-03-12
Bugzilla
CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2275 puppet various flaws [fedora-all]2013-03-12
Bugzilla
CVE-2013-1640 Puppet: catalog request code execution2013-03-10
CVE-2013-1640 — Deserialization of Untrusted Data | cvebase