Vulnerability CVE-2013-2275

Vulnerability Name:

CVE-2013-2275 (CCN-82752)

Assigned:

2013-03-12

Published:

2013-03-12

Updated:

2019-07-10

Summary:

The default configuration for puppet masters 0.25.0 and later in Puppet before 2.6.18, 2.7.x before 2.7.21, and 3.1.x before 3.1.1, and Puppet Enterprise before 1.2.7 and 2.7.x before 2.7.2, allows remote authenticated nodes to submit reports for other nodes via unspecified vectors.
Per http://www.ubuntu.com/usn/usn-1759-1/
"A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.10
Ubuntu 12.04 LTS
Ubuntu 11.10"

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Bypass Security

References:

Source: MITRE
Type: CNA
CVE-2013-2275

Source: SUSE
Type: Third Party Advisory
SUSE-SU-2013:0618

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2013:0641

Source: REDHAT
Type: Third Party Advisory
RHSA-2013:0710

Source: CCN
Type: SA52596
Puppet Multiple Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
52596

Source: UBUNTU
Type: Third Party Advisory
USN-1759-1

Source: DEBIAN
Type: Third Party Advisory
DSA-2643

Source: DEBIAN
Type: DSA-2643
puppet -- several vulnerabilities

Source: BID
Type: Third Party Advisory, VDB Entry
58449

Source: CCN
Type: BID-58449
Puppet 'auth.conf' CVE-2013-2275 Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
puppet-authconf-sec-bypass(82752)

Source: CCN
Type: Puppet Labs Web Site
Security Updates: New Releases of Puppet and Puppet Enterprise

Source: CONFIRM
Type: Vendor Advisory
https://puppetlabs.com/security/cve/cve-2013-2275/

Vulnerable Configuration:

Configuration 1:

cpe:/a:puppet:puppet:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.3:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.5:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.6:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.7:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.8:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.9:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.11:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.12:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.13:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.14:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.15:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.6.16:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet:*:*:*:*:*:*:*:* (Version <= 2.6.17)

Configuration 2:

cpe:/a:puppet:puppet:2.7.2:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.3:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.4:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.5:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.6:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.7:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.8:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.9:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.10:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.11:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.12:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.13:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.14:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.16:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.17:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.18:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet:2.7.1:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet:2.7.19:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet:2.7.20:*:*:*:*:*:*:*

OR cpe:/a:puppetlabs:puppet:2.7.20:rc1:*:*:*:*:*:*

Configuration 3:

cpe:/a:puppet:puppet_enterprise:3.1.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:puppetlabs:puppet:*:*:*:*:enterprise:*:*:* (Version <= 1.2.6)

Configuration 5:

cpe:/a:puppet:puppet_enterprise:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:2.7.1:*:*:*:*:*:*:*

Configuration 6:

cpe:/o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:puppet:puppet:2.7.0:*:*:*:*:*:*:*

OR cpe:/a:puppet:puppet_enterprise:1.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20132275	V	CVE-2013-2275	2022-05-20
oval:org.mitre.oval:def:25947	P	SUSE-SU-2013:0618-1 -- Security update for puppet	2014-09-08
oval:org.mitre.oval:def:17328	P	USN-1759-1 -- puppet vulnerabilities	2014-07-21
oval:org.mitre.oval:def:17992	P	DSA-2643-1 puppet - several issues	2014-06-23
oval:com.ubuntu.precise:def:20132275000	V	CVE-2013-2275 on Ubuntu 12.04 LTS (precise) - medium.	2013-03-20

BACK