CVE-2013-2274

Puppet 2.6.x before 2.6.18 and Puppet Enterprise 1.2.x before 1.2.7 allows remote authenticated users to execute arbitrary code on the puppet master, or an agent with puppet kick enabled, via a crafted request for a report.

Affected Software

Name	Vendor	Start Version	End Version
Puppet	Puppet	2.6.0 (including)	2.6.0 (including)
Puppet	Puppet	2.6.1 (including)	2.6.1 (including)
Puppet	Puppet	2.6.2 (including)	2.6.2 (including)
Puppet	Puppet	2.6.3 (including)	2.6.3 (including)
Puppet	Puppet	2.6.4 (including)	2.6.4 (including)
Puppet	Puppet	2.6.5 (including)	2.6.5 (including)
Puppet	Puppet	2.6.6 (including)	2.6.6 (including)
Puppet	Puppet	2.6.7 (including)	2.6.7 (including)
Puppet	Puppet	2.6.8 (including)	2.6.8 (including)
Puppet	Puppet	2.6.9 (including)	2.6.9 (including)
Puppet	Puppet	2.6.10 (including)	2.6.10 (including)
Puppet	Puppet	2.6.11 (including)	2.6.11 (including)
Puppet	Puppet	2.6.12 (including)	2.6.12 (including)
Puppet	Puppet	2.6.13 (including)	2.6.13 (including)
Puppet	Puppet	2.6.14 (including)	2.6.14 (including)
Puppet	Puppet	2.6.15 (including)	2.6.15 (including)
Puppet	Puppet	2.6.16 (including)	2.6.16 (including)
Puppet	Puppetlabs	2.6.17 (including)	2.6.17 (including)
OpenStack Folsom for RHEL 6	RedHat	puppet-0:2.6.18-1.el6ost	*
Puppet	Ubuntu	hardy	*
Puppet	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2013-2274
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References