CVE-2013-3567
EPSS 5.8%puppet - code execution
Published: 10/24/2017Modified: 4/28/2026
Description
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Affected packages (3)
- Debian/puppetfrom 0, < 3.2.2-1
- Debian/puppetfrom 0, < 2.6.2-5+squeeze8
- RubyGems/puppet>= 2.7.0, < 2.7.22
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-3567
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-3567
- PATCHhttps://github.com/puppetlabs/puppet
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2013-1283.html
- WEBhttp://rhn.redhat.com/errata/RHSA-2013-1284.html
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml
- WEBhttps://puppetlabs.com/security/cve/cve-2013-3567
- WEBhttps://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
- WEBhttp://www.debian.org/security/2013/dsa-2715
- WEBhttp://www.ubuntu.com/usn/USN-1886-1