Red Hat Bugzilla – Bug 1542831
CVE-2018-6508 puppet: Unparameterized input in multiple modules can allow a remote user to execute arbitrary code
Last modified: 2018-02-15 00:59:55 EST
Multiplep puppet modules do not properly paramterize their inputs to spawned child processes. A remote attacker with permission to run these modules could exploit this to execute arbitrary commands. The affected modules include: Puppetlabs/facter_task puppet module prior to 0.1.5 Puppetlabs/puppet_conf puppet module prior to 0.1.5 Puppetlabs/apt puppet module prior to 4.5.1 Puppetlabs/mysql puppet module prior to 5.2.1 Puppetlabs/apache puppet module prior to 2.3.1 Upstream Advisory: https://puppet.com/security/cve/CVE-2018-6508 Upstream Commits: https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c https://github.com/puppetlabs/puppetlabs-puppet_conf/commit/ba434605717e16d935cba45ab38ca5866780a36b https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c