CVE-2013-4761
First published: Tue Aug 20 2013(Updated: )
Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/puppet | >=3.2.0<3.2.4 | 3.2.4 |
| rubygems/puppet | >=2.7.0<2.7.23 | 2.7.23 |
| Puppet | =3.2.1 | |
| Puppet | =3.2.2 | |
| Puppet | =3.2.3 | |
| Puppet | =3.2.0 | |
| Puppet | =2.7.2 | |
| Puppet | =2.7.0 | |
| Puppet | =2.7.1 | |
| Puppet Enterprise | =2.8.0 | |
| Puppet Enterprise | =2.8.1 | |
| Puppet Enterprise | =2.8.2 | |
| Puppet Enterprise | =3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html
- http://puppetlabs.com/security/cve/cve-2013-4761/
- http://rhn.redhat.com/errata/RHSA-2013-1283.html
- http://rhn.redhat.com/errata/RHSA-2013-1284.html
- http://www.debian.org/security/2013/dsa-2761
- https://nvd.nist.gov/vuln/detail/CVE-2013-4761
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-4761.yml
- https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability
- https://github.com/advisories/GHSA-cj43-9h3w-v976 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-4761?
CVE-2013-4761 is classified as a high severity vulnerability due to its potential for remote code execution.
How do I fix CVE-2013-4761?
To fix CVE-2013-4761, upgrade Puppet to version 3.2.4 or 2.7.23 and ensure you are on a supported release.
Which versions of Puppet are affected by CVE-2013-4761?
CVE-2013-4761 affects Puppet versions 2.7.x before 2.7.23, 3.2.x before 3.2.4, Puppet Enterprise 2.8.x before 2.8.3, and 3.0.x before 3.0.1.
Can CVE-2013-4761 be exploited without authentication?
Yes, CVE-2013-4761 can be exploited by remote attackers without authentication.
What types of attacks are possible due to CVE-2013-4761?
Due to CVE-2013-4761, attackers can execute arbitrary Ruby programs on the Puppet master.
- collector/github-advisory-latest
- alias/GHSA-cj43-9h3w-v976
- alias/CVE-2013-4761
- collector/github-advisory
- agent/author
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/rubygems
- vendor/puppet
- canonical/puppet
- version/puppet/3.2.1
- version/puppet/3.2.2
- version/puppet/3.2.3
- vendor/puppetlabs
- version/puppet/3.2.0
- version/puppet/2.7.2
- version/puppet/2.7.0
- version/puppet/2.7.1
- canonical/puppet enterprise
- version/puppet enterprise/2.8.0
- version/puppet enterprise/2.8.1
- version/puppet enterprise/2.8.2
- version/puppet enterprise/3.0.0