CVE-2013-3567 – puppet

Package

Manager: gem
Name: puppet
Vulnerable Version: >=2.7.0 <2.7.22 || >=3.2.0 <3.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.11139 pctl0.93213

Details

Puppet Improper Input Validation vulnerability Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Metadata

Created: 2017-10-24T18:33:37Z
Modified: 2023-05-12T17:27:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-f7p5-w2cr-7cp7/GHSA-f7p5-w2cr-7cp7.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-f7p5-w2cr-7cp7
Finding: F184
Auto approve: 1