Red Hat Bugzilla – Bug 919773
CVE-2013-2274 Puppet: HTTP PUT report saving code execution vulnerability
Last modified: 2016-04-26 21:25:49 EDT
Moses Mendoza (firstname.lastname@example.org) reports:
CVE-2013-2274 - Remote code execution on master from authenticated clients
* Affected versions: 2.6.x
* Patched versions: 2.6.18
A bug in Puppet allows an authenticated client to execute arbitrary
code on the puppet master in its default configuration. Given a valid
certificate and private key, a client can construct an HTTP PUT
request that is authorized to save the client's own report, but the
request will actually cause the puppet master to execute arbitrary
Created puppet tracking bugs for this issue
Affects: epel-all [bug 920843]
Created attachment 710423 [details]
Red Hat would like to thank Puppet Labs for reporting this issue.
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2013:0710 https://rhn.redhat.com/errata/RHSA-2013-0710.html
puppet-2.6.18-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
puppet-2.6.18-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Removed due to typo.