Moses Mendoza (moses) reports:
CVE-2013-2274 - Remote code execution on master from authenticated clients
* Affected versions: 2.6.x
* Patched versions: 2.6.18
A bug in Puppet allows an authenticated client to execute arbitrary
code on the puppet master in its default configuration. Given a valid
certificate and private key, a client can construct an HTTP PUT
request that is authorized to save the client's own report, but the
request will actually cause the puppet master to execute arbitrary
code.
External References:
https://puppetlabs.com/security/cve/cve-2013-2274/