CVE-2013-2275
First published: Wed Mar 20 2013(Updated: )
The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puppet | =2.6.0 | |
| Puppet | =2.6.1 | |
| Puppet | =2.6.2 | |
| Puppet | =2.6.3 | |
| Puppet | =2.6.4 | |
| Puppet | =2.6.5 | |
| Puppet | =2.6.6 | |
| Puppet | =2.6.7 | |
| Puppet | =2.6.8 | |
| Puppet | =2.6.9 | |
| Puppet | =2.6.10 | |
| Puppet | =2.6.11 | |
| Puppet | =2.6.12 | |
| Puppet | =2.6.13 | |
| Puppet | =2.6.14 | |
| Puppet | =2.6.15 | |
| Puppet | =2.6.16 | |
| Puppet | <=2.6.17 | |
| Puppet | =2.7.2 | |
| Puppet | =2.7.3 | |
| Puppet | =2.7.4 | |
| Puppet | =2.7.5 | |
| Puppet | =2.7.6 | |
| Puppet | =2.7.7 | |
| Puppet | =2.7.8 | |
| Puppet | =2.7.9 | |
| Puppet | =2.7.10 | |
| Puppet | =2.7.11 | |
| Puppet | =2.7.12 | |
| Puppet | =2.7.13 | |
| Puppet | =2.7.14 | |
| Puppet | =2.7.16 | |
| Puppet | =2.7.17 | |
| Puppet | =2.7.18 | |
| Puppet | =2.7.0 | |
| Puppet | =2.7.1 | |
| Puppet | =2.7.19 | |
| Puppet | =2.7.20 | |
| Puppet | =2.7.20-rc1 | |
| Puppet Enterprise | =3.1.0 | |
| Puppet | <=1.2.6 | |
| Puppet Enterprise | =2.7.0 | |
| Puppet Enterprise | =2.7.1 | |
| Ubuntu | =11.10 | |
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://rhn.redhat.com/errata/RHSA-2013-0710.html
- http://secunia.com/advisories/52596
- http://ubuntu.com/usn/usn-1759-1
- http://www.debian.org/security/2013/dsa-2643
- http://www.securityfocus.com/bid/58449
- https://puppetlabs.com/security/cve/cve-2013-2275/
Frequently Asked Questions
What is the severity of CVE-2013-2275?
CVE-2013-2275 has a moderate severity rating due to its potential for unauthorized report submissions by authenticated nodes.
How do I fix CVE-2013-2275?
To fix CVE-2013-2275, upgrade Puppet to versions 2.6.18, 2.7.21, 3.1.1 or later, as well as ensuring Puppet Enterprise is updated to version 1.2.7 or higher.
Which versions of Puppet are affected by CVE-2013-2275?
CVE-2013-2275 affects Puppet versions from 0.25.0 up to 2.6.17, and various versions of 2.7.x and 3.1.x prior to the respective secure releases.
Can authenticated nodes exploit CVE-2013-2275?
Yes, authenticated nodes can exploit CVE-2013-2275 to submit reports for other nodes if the vulnerable versions are in use.
Is there a workaround for CVE-2013-2275 if I cannot update Puppet?
A possible workaround for CVE-2013-2275 would involve adjusting the Puppet master configurations to restrict report submission to only the intended nodes.
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/puppet
- canonical/puppet
- version/puppet/2.6.0
- version/puppet/2.6.1
- version/puppet/2.6.2
- version/puppet/2.6.3
- version/puppet/2.6.4
- version/puppet/2.6.5
- version/puppet/2.6.6
- version/puppet/2.6.7
- version/puppet/2.6.8
- version/puppet/2.6.9
- version/puppet/2.6.10
- version/puppet/2.6.11
- version/puppet/2.6.12
- version/puppet/2.6.13
- version/puppet/2.6.14
- version/puppet/2.6.15
- version/puppet/2.6.16
- vendor/puppetlabs
- version/puppet/2.6.17
- version/puppet/2.7.2
- version/puppet/2.7.3
- version/puppet/2.7.4
- version/puppet/2.7.5
- version/puppet/2.7.6
- version/puppet/2.7.7
- version/puppet/2.7.8
- version/puppet/2.7.9
- version/puppet/2.7.10
- version/puppet/2.7.11
- version/puppet/2.7.12
- version/puppet/2.7.13
- version/puppet/2.7.14
- version/puppet/2.7.16
- version/puppet/2.7.17
- version/puppet/2.7.18
- version/puppet/2.7.0
- version/puppet/2.7.1
- version/puppet/2.7.19
- version/puppet/2.7.20
- version/puppet/2.7.20-rc1
- canonical/puppet enterprise
- version/puppet enterprise/3.1.0
- version/puppet/1.2.6
- version/puppet enterprise/2.7.0
- version/puppet enterprise/2.7.1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/11.10
- version/ubuntu/12.04
- version/ubuntu/12.10