CVE-2013-1654

Published: Mar 20, 2013Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors.

Affected (27)

Products: Puppet: Puppet, Puppet Enterprise · Puppetlabs: Puppet · Canonical: Ubuntu Linux

2 products

Puppet Enterprise

1 product

1 product

Configuration A

21 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet	Version 2.7.10
Puppet Puppet	Version 2.7.11
Puppet Puppet	Version 2.7.12
Puppet Puppet	Version 2.7.13
Puppet Puppet	Version 2.7.14
Puppet Puppet	Version 2.7.16
Puppet Puppet	Version 2.7.17
Puppet Puppet	Version 2.7.18
Puppet Puppet	Version 2.7.2
Puppet Puppet	Version 2.7.3
Puppet Puppet	Version 2.7.4
Puppet Puppet	Version 2.7.5
Puppet Puppet	Version 2.7.6
Puppet Puppet	Version 2.7.7
Puppet Puppet	Version 2.7.8
Puppet Puppet	Version 2.7.9
Puppetlabs Puppet	Version 2.7.0
Puppetlabs Puppet	Version 2.7.19
Puppetlabs Puppet	Version 2.7.1
Puppetlabs Puppet	Version 2.7.20
Puppetlabs Puppet	Version 2.7.20 rc1

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Version 3.1.0

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Puppetlabs Puppet	Version 2.7.0
Puppetlabs Puppet	Version 2.7.1

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 11.10
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 12.10

References (16)

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html

Source: cve@mitre.org

http://rhn.redhat.com/errata/RHSA-2013-0710.html

Source: cve@mitre.org

http://secunia.com/advisories/52596

Source: cve@mitre.org

Vendor Advisory

http://ubuntu.com/usn/usn-1759-1

Source: cve@mitre.org

http://www.debian.org/security/2013/dsa-2643

Source: cve@mitre.org

http://www.securityfocus.com/bid/64758

Source: cve@mitre.org

https://puppetlabs.com/security/cve/cve-2013-1654/

Source: cve@mitre.org

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2013-0710.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/52596

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://ubuntu.com/usn/usn-1759-1

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2643

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/64758

Source: af854a3a-2127-422b-91ae-364da2661108

https://puppetlabs.com/security/cve/cve-2013-1654/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.