CVE-2018-6508

Summary

Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a remote execution bug when a specially crafted string was passed into the facter_task or puppet_conf tasks. This vulnerability only affects tasks in the affected modules, if you are not using puppet tasks you are not affected by this vulnerability.

Affected Software

VendorProductVersion RangeStatus
PuppetPuppet Enterprise2017.3.x prior to 2017.3.4affected
Puppetpuppetlabs/facter_taskprior to 0.1.5affected
Puppetpuppetlabs/puppet_confprior to 0.1.5affected
Puppetpuppetlabs/aptprior to 4.5.1affected
Puppetpuppetlabs/mysqlprior to 5.2.1affected
Puppetpuppetlabs/apacheprior to 2.3.1affected

Weaknesses

  • Remote Code Execution

ADP Enrichment

CVE Program Container

Additional References

References