CVE-2013-1654

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.

Affected Software

Name	Vendor	Start Version	End Version
Puppet	Puppet	2.7.2 (including)	2.7.2 (including)
Puppet	Puppet	2.7.3 (including)	2.7.3 (including)
Puppet	Puppet	2.7.4 (including)	2.7.4 (including)
Puppet	Puppet	2.7.5 (including)	2.7.5 (including)
Puppet	Puppet	2.7.6 (including)	2.7.6 (including)
Puppet	Puppet	2.7.7 (including)	2.7.7 (including)
Puppet	Puppet	2.7.8 (including)	2.7.8 (including)
Puppet	Puppet	2.7.9 (including)	2.7.9 (including)
Puppet	Puppet	2.7.10 (including)	2.7.10 (including)
Puppet	Puppet	2.7.11 (including)	2.7.11 (including)
Puppet	Puppet	2.7.12 (including)	2.7.12 (including)
Puppet	Puppet	2.7.13 (including)	2.7.13 (including)
Puppet	Puppet	2.7.14 (including)	2.7.14 (including)
Puppet	Puppet	2.7.16 (including)	2.7.16 (including)
Puppet	Puppet	2.7.17 (including)	2.7.17 (including)
Puppet	Puppet	2.7.18 (including)	2.7.18 (including)
Puppet	Puppetlabs	2.7.0 (including)	2.7.0 (including)
Puppet	Puppetlabs	2.7.1 (including)	2.7.1 (including)
Puppet	Puppetlabs	2.7.19 (including)	2.7.19 (including)
Puppet	Puppetlabs	2.7.20 (including)	2.7.20 (including)
Puppet	Puppetlabs	2.7.20-rc1 (including)	2.7.20-rc1 (including)
OpenStack Folsom for RHEL 6	RedHat	puppet-0:2.6.18-1.el6ost	*
Puppet	Ubuntu	devel	*
Puppet	Ubuntu	hardy	*
Puppet	Ubuntu	lucid	*
Puppet	Ubuntu	oneiric	*
Puppet	Ubuntu	precise	*
Puppet	Ubuntu	quantal	*
Puppet	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-1654
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References