Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.5
CVSSv2

CVE-2013-3567

Published: 19/08/2013 Updated: 10/07/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Subscribe to Puppet

Vulnerability Summary

Puppet 2.7.x prior to 2.7.22 and 3.2.x prior to 3.2.2, and Puppet Enterprise prior to 2.8.2, deserializes untrusted YAML, which allows remote malicious users to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Vulnerable Product Search on Vulmon Subscribe to Product

puppetlabs puppet 2.7.1

puppet puppet 2.7.10

puppet puppet 2.7.18

puppetlabs puppet 2.7.19

puppetlabs puppet 3.2.0

puppet puppet 2.7.13

puppet puppet 2.7.14

puppetlabs puppet 2.7.20

puppet puppet 2.7.21

puppet puppet 2.7.11

puppet puppet 2.7.12

puppet puppet 2.7.2

puppet puppet 3.2.1

puppetlabs puppet 2.7.0

puppet puppet 2.7.16

puppet puppet 2.7.17

canonical ubuntu linux 12.10

canonical ubuntu linux 12.04

canonical ubuntu linux 13.04

novell suse linux enterprise server 11.0

novell suse linux enterprise desktop 11.0

novell suse linux enterprise desktop 11

puppet puppet enterprise

puppet puppet enterprise 1.0

puppetlabs puppet 2.5.0

puppet puppet enterprise 2.5.1

puppet puppet enterprise 1.2.0

puppetlabs puppet 1.1.0

puppetlabs puppet 1.0.0

puppet puppet enterprise 1.1

puppet puppet enterprise 2.5.2

puppetlabs puppet 2.6.0

puppetlabs puppet 1.2.0

puppet puppet enterprise 2.0.0

puppetlabs puppet 2.7.2

puppet puppet enterprise 2.8.0

Vendor Advisories

Debian CVElist Bug Report Logs: puppet: CVE-2013-3567
Debian Bug report logs - #712745 puppet: CVE-2013-3567 Package: puppet; Maintainer for puppet is Puppet Package Maintainers <pkg-puppet-devel@listsaliothdebianorg>; Source for puppet is src:puppet (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Wed, 19 Jun 2013 05:21:01 UTC Severity: ...
Ubuntu Security Notice: puppet vulnerability
Puppet could be made to run programs if it received specially crafted network traffic ...
Red Hat: Moderate: puppet security update
Synopsis Moderate: puppet security update Type/Severity Security Advisory: Moderate Topic Updated puppet packages that fix several security issues are now availablefor Red Hat OpenStack 30The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerability Scori ...
Red Hat: Critical: ruby193-puppet security update
Synopsis Critical: ruby193-puppet security update Type/Severity Security Advisory: Critical Topic Updated ruby193-puppet packages that fix three security issues are nowavailable for Red Hat OpenStack 30The Red Hat Security Response Team has rated this update as having criticalsecurity impact Common Vulne ...
Debian Security Advisories: DSA-2715-1 puppet -- code execution
It was discovered that puppet, a centralized configuration management system, did not correctly handle YAML payloads A remote attacker could use a specially-crafted payload to execute arbitrary code on the puppet master For the oldstable distribution (squeeze), this problem will be fixed in version 262-5+squeeze8 For the stable distribution (w ...
Amazon Linux AMI: ALAS-2013-213
Puppet 27x before 2722 and 32x before 322, and Puppet Enterprise before 282, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call ...

Recent Articles

Remote code execution vuln appears in Puppet
The Register • Jack Clark in San Francisco • 18 Jun 2013

Big trouble in automated clouds

Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet. The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for customers of Puppet Enterprise to move to 2.8.2. The vulnerability is serious as it allows for code to be executed remotely. "When making REST api calls, the puppet mast...

Read more...

References

CWE-20http://www.ubuntu.com/usn/USN-1886-1https://puppetlabs.com/security/cve/cve-2013-3567/http://secunia.com/advisories/54429http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.htmlhttp://www.debian.org/security/2013/dsa-2715http://rhn.redhat.com/errata/RHSA-2013-1284.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1283.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745https://usn.ubuntu.com/1886-1/https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook