| Vulnerability Name: | CVE-2013-1654 (CCN-82755) | ||||||||||||||||||||||||
| Assigned: | 2013-03-12 | ||||||||||||||||||||||||
| Published: | 2013-03-12 | ||||||||||||||||||||||||
| Updated: | 2019-07-10 | ||||||||||||||||||||||||
| Summary: | Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors. Per http://www.ubuntu.com/usn/usn-1759-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 " | ||||||||||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N) 3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||||||||||||||||||
| Vulnerability Type: | CWE-noinfo | ||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2013-1654 Source: SUSE Type: UNKNOWN SUSE-SU-2013:0618 Source: SUSE Type: UNKNOWN openSUSE-SU-2013:0641 Source: REDHAT Type: UNKNOWN RHSA-2013:0710 Source: CCN Type: SA52596 Puppet Multiple Vulnerabilities Source: SECUNIA Type: Vendor Advisory 52596 Source: UBUNTU Type: UNKNOWN USN-1759-1 Source: DEBIAN Type: UNKNOWN DSA-2643 Source: DEBIAN Type: DSA-2643 puppet -- several vulnerabilities Source: CCN Type: Oracle Web site Oracle Critical Patch Update Advisory - January 2014 Source: CCN Type: BID-58453 Puppet CVE-2013-1654 Security Bypass Vulnerability Source: BID Type: UNKNOWN 64758 Source: CCN Type: BID-64758 RETIRED: Oracle January 2014 Critical Patch Update Multiple Vulnerabilities Source: XF Type: UNKNOWN puppet-ssl-protocol-sec-bypass(82755) Source: CCN Type: Puppet Labs Web Site Security Updates: New Releases of Puppet and Puppet Enterprise Source: CONFIRM Type: Vendor Advisory https://puppetlabs.com/security/cve/cve-2013-1654/ | ||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration 3: Configuration 4: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||