Bugzilla – Bug 1212124
VUL-0: CVE-2023-2530: puppet: A privilege escalation allowing remote code execution was discovered in the orchestration service.
Last modified: 2023-06-15 10:35:11 UTC
A privilege escalation allowing remote code execution was discovered in the orchestration service. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-2530 https://www.cve.org/CVERecord?id=CVE-2023-2530 https://www.puppet.com/security/cve/cve-2023-2530-remote-code-execution-orchestrator
Hi Danilo, the puppet SA only mentions the following closed source products as affected: - Puppet Enterprise 2021.7.0 through Puppet Enterprise 2021.7.3 - Puppet Enterprise 2023.0 and Puppet Enterprise 2023.1 I found that orchestration features are only included in Puppet Enterprise. According to that, I'm kine to assess our maintained packages as not affected. Would you agree with that? Packages we currently maintain: - SUSE:SLE-11-SP1:Update/puppet - SUSE:SLE-12:Update/puppet
(In reply to Gianluca Gabrielli from comment #1) > Hi Danilo, > > the puppet SA only mentions the following closed source products as affected: > > - Puppet Enterprise 2021.7.0 through Puppet Enterprise 2021.7.3 > - Puppet Enterprise 2023.0 and Puppet Enterprise 2023.1 > > I found that orchestration features are only included in Puppet Enterprise. > According to that, I'm kine to assess our maintained packages as not > affected. Would you agree with that? > > Packages we currently maintain: > > - SUSE:SLE-11-SP1:Update/puppet > - SUSE:SLE-12:Update/puppet Hello Gianluca, yes, I agree that SLE is not affected (especially considerinf that the version that are shipped are quite old).
Thank you, closing.