Unauthenticated Remote Code Execution Vulnerability
Published: October 24, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2013-1655 (NVD)
- GHSA: GHSA-574q-fxfj-wv6h
- Vendor Advisory: https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability
GEM
SEVERITY
CVSS v2.0: 7.5 (High)
UNAFFECTED VERSIONS
< 2.7.0
PATCHED VERSIONS
~> 2.7.21
>= 3.1.1
DESCRIPTION
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2013-1655
- https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability
- https://github.com/advisories/GHSA-574q-fxfj-wv6h
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
- http://ubuntu.com/usn/usn-1759-1
- http://www.debian.org/security/2013/dsa-2643
- https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-1655
- https://web.archive.org/web/20210509162357/https://www.securityfocus.com/bid/46291