CVE-2013-4761 (`resource_type` Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On:
August 15, 2013

Assessed Risk Level:
Medium

By using the `resource_type` service, an attacker could cause puppet to load arbitrary Ruby files from the puppet master node's file system. While this behavior is not enabled by default, `auth.conf` settings could be modified to allow it. The exploit requires local file system access to the Puppet Master.

Status:

Affected software versions:

Resolved in:

Affected Versions: Puppet 2.x (2.7.22 and earlier), 3.x (3.2.3 and earlier) | Puppet Enterprise 2.8.2 and earlier, 3.0.0
Resolved in Puppet 2.7.23 and 3.2.4
Resolved in Puppet Enterprise 2.8.3 and 3.0.1

← Back to CVE Listings

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

CVE-2013-4761 (`resource_type` Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On:
August 15, 2013

Assessed Risk Level:
Medium

Status:

Get Started

Puppet

Premium Features

CVE-2013-4761 (`resource_type` Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On: August 15, 2013

Assessed Risk Level: Medium

Status:

Posted On:
August 15, 2013

Assessed Risk Level:
Medium