CVE-2016-5713

Published: Dec 6, 2017Modified: May 13, 2026

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.

Affected (1)

Products: Puppet: Puppet Agent

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Agent	From 1.3.0 to 1.6.0

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://puppet.com/security/cve/cve-2016-5713

Source: security@puppet.com

Vendor Advisory

https://puppet.com/security/cve/cve-2016-5713

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.