CVSS: 9.0EPSS: 2%CPEs: 9EXPL: 0CVE-2013-1640 – Puppet: catalog request code execution
https://notcve.org/view.php?id=CVE-2013-1640
The (1) template and (2) inline_template functions in the master server in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users to execute arbitrary code via a crafted catalog request. La funciones (1) template y (2) inline_template en el servidor maestro en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, permite a usuarios remotos autenticados ejecutar código arbitrario a través de una solicitud de catálogo especialmente diseñado. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 https://puppetlabs.com/security/cve/cve-2013-1640 https://access.redhat.com/security/cve/CVE-2013-1640 https://bugzilla.redhat.com/show_bug.cgi?id=919783 • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.0EPSS: 0%CPEs: 46EXPL: 0CVE-2013-2275 – Puppet: default auth.conf allows authenticated node to submit a report for any other node
https://notcve.org/view.php?id=CVE-2013-2275
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors. La configuración por defecto para puppet masters v0.25.0 y posteriores en Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21 y v3.1.x anterior a 3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2, permite a los nodos remotos autenticados enviar informes para otros nodos a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58449 https://puppetlabs.com/security/cve/cve-2013-2275 https://access.redhat.com/security/cve/CVE-2013-2275 https://bugzilla.redhat.com& •
CVSS: 4.9EPSS: 0%CPEs: 29EXPL: 0CVE-2013-1652 – Puppet: HTTP GET request catalog retrieval
https://notcve.org/view.php?id=CVE-2013-1652
Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2 allows remote authenticated users with a valid certificate and private key to read arbitrary catalogs or poison the master's cache via unspecified vectors. Puppet anterior a v2.6.18, v2.7.x anterior a v2.7.21, y v3.1.x anterior a v3.1.1, y Puppet Enterprise anterior a v1.2.7 y v2.7.x anterior a v2.7.2 permite a usuarios remotos autenticados con un certificado válido y una clave privada leer catalogs arbitrarios o envenenar la caché del maestro a través de vectores no especificados. • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html http://rhn.redhat.com/errata/RHSA-2013-0710.html http://secunia.com/advisories/52596 http://ubuntu.com/usn/usn-1759-1 http://www.debian.org/security/2013/dsa-2643 http://www.securityfocus.com/bid/58443 https://puppetlabs.com/security/cve/cve-2013-1652 https://access.redhat.com/security/cve/CVE-2013-1652 https://bugzilla.redhat.com& • CWE-264: Permissions, Privileges, and Access Controls •