ADVISORIES

• CVE-2013-3567 (NVD)
• GHSA-f7p5-w2cr-7cp7
• Vendor Advisory

GEM

puppet

SEVERITY

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

• ~> 2.7.22
• >= 3.2.2

DESCRIPTION

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2013-3567
• https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
• https://github.com/advisories/GHSA-f7p5-w2cr-7cp7
• http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
• http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
• http://rhn.redhat.com/errata/RHSA-2013-1283.html
• http://rhn.redhat.com/errata/RHSA-2013-1284.html
• http://www.debian.org/security/2013/dsa-2715
• http://www.ubuntu.com/usn/USN-1886-1