CVE-2013-3567 — Improper Input Validation in Puppet

CWE-20 — Improper Input Validation CWE-502 — Deserialization of Untrusted Data11 documents8 sources

Severity

7.5HIGHNVD

EPSS

6.5%

top 8.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Puppet Enterprise Canonical Ubuntu Linux +3 more

Timeline

PublishedAug 19

Latest updateOct 24

Description

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages7 packages

▶NVDpuppet/puppet_enterprise2.8.1+7

▶RubyGemspuppet/puppet2.7.0 — 2.7.22+1

▶Debianpuppet/puppet< 3.2.2-1

▶NVDpuppet/puppet11 versions+10

▶NVDpuppetlabs/puppet11 versions+10

Also affects: Ubuntu Linux 12.04, 12.10, 13.04

🔴Vulnerability Details

GHSA

Puppet Improper Input Validation vulnerability↗2017-10-24

▶

OSV

Puppet Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2013-3567: Puppet 2↗2013-08-19

▶

OSV

CVE-2013-3567: Puppet 2↗2013-08-19

▶

📋Vendor Advisories

Ubuntu

Puppet vulnerability↗2013-06-18

▶

Red Hat

puppet: remote code execution on master from unauthenticated clients↗2013-06-18

▶

Debian

CVE-2013-3567: puppet - Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before ...↗2013

▶

💬Community

Bugzilla

CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients [fedora-all]↗2013-06-19

▶

Bugzilla

CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients [epel-all]↗2013-06-19

▶

Bugzilla

CVE-2013-3567 puppet: remote code execution on master from unauthenticated clients↗2013-06-14

▶