CVE-2016-5713 — Code Injection in Agent

CWE-94 — Code Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 21.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Agent

Timeline

PublishedDec 6

Latest updateMay 14

Description

Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDpuppet/puppet_agent1.3.0 — 1.6.0

▶CVEListV5puppet/puppet_agentIntroduced in 1.3.0, fixed in 1.6.0

▶Debianpuppet/puppet< 4.7.0-1

🔴Vulnerability Details

GHSA

GHSA-mvpp-7hv9-px53: Versions of Puppet Agent prior to 1↗2022-05-14

▶

CVEList

CVE-2016-5713: Versions of Puppet Agent prior to 1↗2017-12-06

▶

OSV

CVE-2016-5713: Versions of Puppet Agent prior to 1↗2017-12-06

▶

📋Vendor Advisories

Debian

CVE-2016-5713: puppet - Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Executi...↗2016

▶