CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On:
June 18, 2013

Assessed Risk Level:
None

When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.

Status:

Affected software versions:

Credits

Credit to Ben Murphy for the responsible disclosure of this vulnerability.

Resolved in:

Resolved in Puppet 2.7.22, 3.2.2
Resolved in Puppet Enterprise 2.8.2

← Back to CVE Listings

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

A Brief Intro to Puppet for (Very) Busy People

Enforcing Better Zero Trust Security with Puppet Enterprise

CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On:
June 18, 2013

Assessed Risk Level:
None

Status:

Credits

Get Started

Puppet

Premium Features

CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)

CVSS 3 Base Score:

Posted On: June 18, 2013

Assessed Risk Level: None

Status:

Credits

Posted On:
June 18, 2013

Assessed Risk Level:
None