CVE-2013-1653

Name of the Vulnerable Software and Affected Versions Puppet versions prior to 2.6.18 Puppet versions 2.7.x prior to 2.7.21 Puppet versions 3.1.x prior to 3.1.1 Puppet Enterprise versions prior to 1.2.7 Puppet Enterprise versions 2.7.x prior to 2.7.2

Description The issue allows remote authenticated users to execute arbitrary code via a crafted HTTP request when listening for incoming connections is enabled and access to the "run" REST endpoint is allowed. This can lead to a breach of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely by an attacker who has passed the authentication procedure.

Recommendations For Puppet versions prior to 2.6.18, update to version 2.6.18 or later. For Puppet versions 2.7.x prior to 2.7.21, update to version 2.7.21 or later. For Puppet versions 3.1.x prior to 3.1.1, update to version 3.1.1 or later. For Puppet Enterprise versions prior to 1.2.7, update to version 1.2.7 or later. For Puppet Enterprise versions 2.7.x prior to 2.7.2, update to version 2.7.2 or later. As a temporary workaround, consider disabling access to the "run" REST endpoint until a patch is available. Restrict incoming connections to minimize the risk of exploitation.