{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-03-12T00:00:00", "descriptions": [{"lang": "en", "value": "Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-01-16T01:57:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "SUSE-SU-2013:0618", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"name": "RHSA-2013:0710", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"name": "DSA-2643", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2643"}, {"name": "52596", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/52596"}, {"name": "USN-1759-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://ubuntu.com/usn/usn-1759-1"}, {"name": "openSUSE-SU-2013:0641", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://puppetlabs.com/security/cve/cve-2013-1654/"}, {"name": "64758", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64758"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2013-1654", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "SUSE-SU-2013:0618", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"name": "RHSA-2013:0710", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"name": "DSA-2643", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2643"}, {"name": "52596", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/52596"}, {"name": "USN-1759-1", "refsource": "UBUNTU", "url": "http://ubuntu.com/usn/usn-1759-1"}, {"name": "openSUSE-SU-2013:0641", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"name": "https://puppetlabs.com/security/cve/cve-2013-1654/", "refsource": "CONFIRM", "url": "https://puppetlabs.com/security/cve/cve-2013-1654/"}, {"name": "64758", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64758"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T15:13:32.892Z"}, "title": "CVE Program Container", "references": [{"name": "SUSE-SU-2013:0618", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"name": "RHSA-2013:0710", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"name": "DSA-2643", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2013/dsa-2643"}, {"name": "52596", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/52596"}, {"name": "USN-1759-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://ubuntu.com/usn/usn-1759-1"}, {"name": "openSUSE-SU-2013:0641", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://puppetlabs.com/security/cve/cve-2013-1654/"}, {"name": "64758", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/64758"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2013-1654", "datePublished": "2013-03-20T16:00:00", "dateReserved": "2013-02-11T00:00:00", "dateUpdated": "2024-08-06T15:13:32.892Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet:2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "BE56BA6B-BDC4-431E-81FD-D7ED5E8783E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "FDDDFB28-1971-4CCD-93D2-ABC08FE67F4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "508105B4-619A-4A9D-8B2F-FE5992C1006A", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.5:*:*:*:*:*:*:*", "matchCriteriaId": "26DB96A5-A57D-452F-A452-98B11F51CAE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "D33AF704-FA05-4EA8-BE95-0177871A810F", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.7:*:*:*:*:*:*:*", "matchCriteriaId": "390FC5AE-4939-468C-B323-6B4E267A0F4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.8:*:*:*:*:*:*:*", "matchCriteriaId": "07DE4213-E233-402E-88C2-B7FF8D7B682C", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.9:*:*:*:*:*:*:*", "matchCriteriaId": "4122D8E3-24AD-4A55-9F89-C3AAD50E638D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.10:*:*:*:*:*:*:*", "matchCriteriaId": "AF6D6B90-62BA-4944-A699-6D7C48AFD0A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.11:*:*:*:*:*:*:*", "matchCriteriaId": "8EC6A7B3-5949-4439-994A-68DA65438F5D", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.12:*:*:*:*:*:*:*", "matchCriteriaId": "5140C34D-589C-43DB-BCA7-8434EB173205", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.13:*:*:*:*:*:*:*", "matchCriteriaId": "E561C081-6262-46D3-AB17-01EEA6D3E988", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.14:*:*:*:*:*:*:*", "matchCriteriaId": "4703802D-0E3A-4760-B660-6AE0AF74DD40", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.16:*:*:*:*:*:*:*", "matchCriteriaId": "BE3D39F6-F9C8-4E7F-981A-265B04E85579", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.17:*:*:*:*:*:*:*", "matchCriteriaId": "FEBB3936-7A81-4BD9-80B2-3F614980BBCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppet:puppet:2.7.18:*:*:*:*:*:*:*", "matchCriteriaId": "A1EABC0F-A7A6-4C28-9331-3EEB6D39A0C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1E5192CB-094F-469E-A644-2255C4F44804", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "D17D2752-CB0D-4CC8-8604-FEBF8DEE16E0", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.19:*:*:*:*:*:*:*", "matchCriteriaId": "29BBE8DB-8560-4A57-9BCB-D709A697ECDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.20:*:*:*:*:*:*:*", "matchCriteriaId": "10E0543B-5B1D-4522-945D-98BD63380500", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.20:rc1:*:*:*:*:*:*", "matchCriteriaId": "817AB37A-F7B0-4E68-B10A-9E4A358793F3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppet:puppet_enterprise:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3CFF3B0A-2C66-445A-BB5C-136DCAA584FE", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.0:-:enterprise:*:*:*:*:*", "matchCriteriaId": "49809A49-DD06-4335-9A09-EA35EB381B53", "vulnerable": true}, {"criteria": "cpe:2.3:a:puppetlabs:puppet:2.7.1:-:enterprise:*:*:*:*:*", "matchCriteriaId": "EE62E9E9-6183-4D43-B776-F6BA06AA292B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*", "matchCriteriaId": "E4174F4F-149E-41A6-BBCC-D01114C05F38", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*", "matchCriteriaId": "F5D324C4-97C7-49D3-A809-9EAD4B690C69", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*", "matchCriteriaId": "E2076871-2E80-4605-A470-A41C1A8EC7EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors."}, {"lang": "es", "value": "Puppet v2.7.x anterior a v2.7.21 y v3.1.x anterior a v3.1.1, y Puppet Enterprise v2.7.x anterior a v2.7.2, no negocian correctamente el protocolo SSL entre el cliente y el master, lo que permite a atacantes remotos llevar a cabo ataques SSLv2 contra sesiones SSLv3 mediante vectores no especificados."}], "evaluatorImpact": "Per http://www.ubuntu.com/usn/usn-1759-1/\r\n\"A security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n    Ubuntu 12.10\r\n    Ubuntu 12.04 LTS\r\n    Ubuntu 11.10\r\n\"", "id": "CVE-2013-1654", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-03-20T16:55:01.790", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"source": "cve@mitre.org", "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52596"}, {"source": "cve@mitre.org", "url": "http://ubuntu.com/usn/usn-1759-1"}, {"source": "cve@mitre.org", "url": "http://www.debian.org/security/2013/dsa-2643"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/64758"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://puppetlabs.com/security/cve/cve-2013-1654/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2013-0710.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/52596"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://ubuntu.com/usn/usn-1759-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2013/dsa-2643"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/64758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://puppetlabs.com/security/cve/cve-2013-1654/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Puppet Labs for reporting this issue.", "affected_release": [{"advisory": "RHSA-2013:0710", "cpe": "cpe:/a:redhat:openstack:2::el6", "package": "puppet-0:2.6.18-1.el6ost", "product_name": "OpenStack Folsom for RHEL 6", "release_date": "2013-04-04T00:00:00Z"}], "bugzilla": {"description": "Puppet: SSL protocol downgrade", "id": "919770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=919770"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "verified"}, "details": ["Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, and Puppet Enterprise 2.7.x before 2.7.2, does not properly negotiate the SSL protocol between client and master, which allows remote attackers to conduct SSLv2 downgrade attacks against SSLv3 sessions via unspecified vectors."], "name": "CVE-2013-1654", "package_state": [{"cpe": "cpe:/a:cloudforms_tools:1", "fix_state": "Will not fix", "package_name": "puppet", "product_name": "Red Hat CloudForms Tools 1"}, {"cpe": "cpe:/a:redhat:enterprise_mrg:1", "fix_state": "Affected", "package_name": "puppet", "product_name": "Red Hat Enterprise MRG 1"}, {"cpe": "cpe:/a:redhat:openstack:2.1", "fix_state": "Affected", "package_name": "puppet", "product_name": "Red Hat OpenStack Platform 2.1"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Affected", "package_name": "puppet", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2013-03-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-1654\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1654"], "threat_severity": "Low"}