cbcvebase.
CVE-2018-6508
published 2018-02-09

CVE-2018-6508: Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or…

PriorityP343high8CVSS 3.0
AVNACLPRLUIRSUCHIHAH
EPSS
1.91%
77.2th percentile
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianpuppet-module-puppetlabs-apache< puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)
debianpuppet-module-puppetlabs-apt< puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)
debianpuppet-module-puppetlabs-mysql< puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)puppet-module-puppetlabs-apache 3.0.0-1 (bookworm)
puppetpuppet_enterprise
puppetpuppet_enterprise2017.3.0 – 2017.3.2
puppetpuppetlabs_apache
puppetpuppetlabs_apt
puppetpuppetlabs_facter_task
puppetpuppetlabs_mysql
puppetpuppetlabs_puppet_conf

CVSS provenance

nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.0HIGH
vendor_debian8.0LOW
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.