CVE-2013-1655 — Improper Input Validation in Puppet

CWE-20 — Improper Input Validation9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Puppetlabs Puppet

Timeline

PublishedMar 20

Latest updateOct 24

Description

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶RubyGemspuppet/puppet2.7.0 — 2.7.21+1

▶Debianpuppet/puppet< 2.7.18-3

▶NVDpuppet/puppet16 versions+15

▶NVDpuppetlabs/puppet4 versions+3

▶NVDpuppet/puppet_enterprise3.1.0

🔴Vulnerability Details

OSV

Puppet Improper Input Validation vulnerability↗2017-10-24

▶

GHSA

Puppet Improper Input Validation vulnerability↗2017-10-24

▶

OSV

CVE-2013-1655: Puppet 2↗2013-03-20

▶

CVEList

CVE-2013-1655: Puppet 2↗2013-03-20

▶

📋Vendor Advisories

Ubuntu

Puppet vulnerabilities↗2013-03-12

▶

Debian

CVE-2013-1655: puppet - Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or la...↗2013

▶

💬Community

Bugzilla

CVE-2013-1640 CVE-2013-1652 CVE-2013-1653 CVE-2013-1654 CVE-2013-1655 CVE-2013-2275 puppet various flaws [fedora-all]↗2013-03-12

▶

Bugzilla

CVE-2013-1655 Puppet: Master code loading Ruby symbols vulnerability↗2013-03-10

▶