Detections
Analytics

CVE-2013-3567

high

Description

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

References

https://puppetlabs.com/security/cve/cve-2013-3567/

http://www.ubuntu.com/usn/USN-1886-1

http://www.debian.org/security/2013/dsa-2715

http://secunia.com/advisories/54429

http://rhn.redhat.com/errata/RHSA-2013-1284.html

http://rhn.redhat.com/errata/RHSA-2013-1283.html

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html

Details

Source: Mitre, NVD

Published: 2013-08-19

Updated: 2019-07-10

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Severity: High