CVE-2013-1655

Description

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."

Affected packages (2)

• Debian/puppetfrom 0, < 2.7.18-3
• RubyGems/puppet>= 2.7.0, < 2.7.21

References (11)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-1655
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-1655
• PATCHhttps://github.com/puppetlabs/puppet
• WEBhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html
• WEBhttp://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-1655.yml
• WEBhttps://puppetlabs.com/security/cve/cve-2013-1655
• WEBhttps://web.archive.org/web/20200228144801/http://www.securityfocus.com/bid/58442
• WEBhttps://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability
• WEBhttp://ubuntu.com/usn/usn-1759-1
• WEBhttp://www.debian.org/security/2013/dsa-2643