CVE-2018-6508
published 2018-02-09CVE-2018-6508: Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or…
PriorityP343high8CVSS 3.0
AVNACLPRLUIRSUCHIHAH
EPSS
1.91%
77.2th percentile
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | puppet-module-puppetlabs-apache | < puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) | puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) |
| debian | puppet-module-puppetlabs-apt | < puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) | puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) |
| debian | puppet-module-puppetlabs-mysql | < puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) | puppet-module-puppetlabs-apache 3.0.0-1 (bookworm) |
| puppet | puppet_enterprise | — | — |
| puppet | puppet_enterprise | 2017.3.0 – 2017.3.2 | — |
| puppet | puppetlabs_apache | — | — |
| puppet | puppetlabs_apt | — | — |
| puppet | puppetlabs_facter_task | — | — |
| puppet | puppetlabs_mysql | — | — |
| puppet | puppetlabs_puppet_conf | — | — |
CVSS provenance
nvdv3.08.0HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv8.0HIGH
vendor_debian8.0LOW
vendor_redhat8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
puppet: Unparameterized input in multiple modules can allow a remote user to execute arbitrary code
vendor_redhat·2018-02-05·CVSS 8.0
CVE-2018-6508 [HIGH] CWE-78 puppet: Unparameterized input in multiple modules can allow a remote user to execute arbitrary code
puppet: Unparameterized input in multiple modules can allow a remote user to execute arbitrary code
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
Package: puppet-apache (Red Hat OpenStack Platform 10 (Newton)) - Not affected
Package: puppet-mysql (Red Hat OpenStack Platform 10 (Newton)) - Not affected
Package: puppet-apache (Red Hat OpenStack Platform 11 (Ocata)) - Not affected
Package: puppet-mysql (Red Hat OpenStack Platform 11 (Ocata)) - Not affected
Package: puppet-apache (Red Hat OpenStack Platform 12 (Pike)) - Not a
Debian
CVE-2018-6508: puppet-module-puppetlabs-apache - Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote executio...
vendor_debian·2018·CVSS 8.0
CVE-2018-6508 [HIGH] CVE-2018-6508: puppet-module-puppetlabs-apache - Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote executio...
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
Scope: local
bookworm: resolved (fixed in 3.0.0-1)
bullseye: resolved (fixed in 3.0.0-1)
forky: resolved (fixed in 3.0.0-1)
sid: resolved (fixed in 3.0.0-1)
trixie: resolved (fixed in 3.0.0-1)
GHSA
GHSA-j433-wpfx-cxg3: Puppet Enterprise 2017
ghsa_unreviewed·2022-05-13
CVE-2018-6508 [HIGH] CWE-134 GHSA-j433-wpfx-cxg3: Puppet Enterprise 2017
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
OSV
CVE-2018-6508: Puppet Enterprise 2017
osv·2018-02-09·CVSS 8.0
CVE-2018-6508 [HIGH] CVE-2018-6508: Puppet Enterprise 2017
Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.
No detection rules found.
No public exploits indexed.
2018-02-09
Published