Puppet 2.7.x prior to 2.7.22 and 3.2.x prior to 3.2.2, and Puppet Enterprise prior to 2.8.2, deserializes untrusted YAML, which allows remote malicious users to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
puppetlabs puppet 2.7.1 |
||
puppet puppet 2.7.10 |
||
puppet puppet 2.7.18 |
||
puppetlabs puppet 2.7.19 |
||
puppetlabs puppet 3.2.0 |
||
puppet puppet 2.7.13 |
||
puppet puppet 2.7.14 |
||
puppetlabs puppet 2.7.20 |
||
puppet puppet 2.7.21 |
||
puppet puppet 2.7.11 |
||
puppet puppet 2.7.12 |
||
puppet puppet 2.7.2 |
||
puppet puppet 3.2.1 |
||
puppetlabs puppet 2.7.0 |
||
puppet puppet 2.7.16 |
||
puppet puppet 2.7.17 |
||
canonical ubuntu linux 12.10 |
||
canonical ubuntu linux 12.04 |
||
canonical ubuntu linux 13.04 |
||
novell suse linux enterprise server 11.0 |
||
novell suse linux enterprise desktop 11.0 |
||
novell suse linux enterprise desktop 11 |
||
puppet puppet enterprise |
||
puppet puppet enterprise 1.0 |
||
puppetlabs puppet 2.5.0 |
||
puppet puppet enterprise 2.5.1 |
||
puppet puppet enterprise 1.2.0 |
||
puppetlabs puppet 1.1.0 |
||
puppetlabs puppet 1.0.0 |
||
puppet puppet enterprise 1.1 |
||
puppet puppet enterprise 2.5.2 |
||
puppetlabs puppet 2.6.0 |
||
puppetlabs puppet 1.2.0 |
||
puppet puppet enterprise 2.0.0 |
||
puppetlabs puppet 2.7.2 |
||
puppet puppet enterprise 2.8.0 |
Big trouble in automated clouds
Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet. The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for customers of Puppet Enterprise to move to 2.8.2. The vulnerability is serious as it allows for code to be executed remotely. "When making REST api calls, the puppet mast...