VYPR
Unrated severityNVD Advisory· Published Apr 10, 2013· Updated Jun 16, 2026

CVE-2013-2716

CVE-2013-2716

Description

Puppet Labs Puppet Enterprise before 2.8.0 does not use a "randomized secret" in the CAS client config file (cas_client_config.yml) when upgrading from older 1.2.x or 2.0.x versions, which allows remote attackers to obtain console access via a crafted cookie.

Affected products

10
  • cpe:2.3:a:puppetlabs:puppet:1.0.0:-:enterprise:*:*:*:*:*+ 4 more
    • cpe:2.3:a:puppetlabs:puppet:1.0.0:-:enterprise:*:*:*:*:*
    • cpe:2.3:a:puppetlabs:puppet:1.1.0:-:enterprise:*:*:*:*:*
    • cpe:2.3:a:puppetlabs:puppet:1.2.0:-:enterprise:*:*:*:*:*
    • cpe:2.3:a:puppetlabs:puppet:2.5.0:-:enterprise:*:*:*:*:*
    • cpe:2.3:a:puppetlabs:puppet:2.6.0:-:enterprise:*:*:*:*:*
  • cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:puppet:puppet_enterprise:*:*:*:*:*:*:*:*range: <=2.7.2
    • cpe:2.3:a:puppet:puppet_enterprise:2.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:puppet:puppet_enterprise:2.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:puppet:puppet_enterprise:2.5.2:*:*:*:*:*:*:*
    • (no CPE)range: <2.8.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.