Candidate: CVE-2016-5713
PublicDate: 2017-12-06 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5713
 https://puppet.com/security/cve/cve-2016-5713
Description:
 Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet
 Execution Protocol (PXP) agent that passed environment variables through to
 Puppet runs. This could allow unauthorized code to be loaded. This bug was
 first introduced in Puppet Agent 1.3.0.
Ubuntu-Description:
Notes:
 mdeslaur> puppet agent 1.3.0 is in puppet 4.3.0
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_puppet:
upstream_puppet: released (4.7.0-1)
precise/esm_puppet: DNE
trusty_puppet: not-affected (code not present)
trusty/esm_puppet: not-affected (code not present)
xenial_puppet: not-affected (code not present)
zesty_puppet: ignored (reached end-of-life)
artful_puppet: not-affected (4.10.4-2ubuntu1)
devel_puppet: not-affected