CVE-2016-5713

CRITICAL

Puppet Agent <1.6.0 - Code Injection

Title source: llm
STIX 2.1

Description

Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2016-5713

Scores

CVSS v3 9.8
EPSS 0.0202
EPSS Percentile 78.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94
Status published
Products (2)
Puppet/Puppet Agent Introduced in 1.3.0, fixed in 1.6.0
puppet/puppet_agent 1.3.0 - 1.6.0
Published Dec 06, 2017
Tracked Since Feb 18, 2026