CVE-2013-3567

EPSS 5.8%

Puppet Improper Input Validation vulnerability

Published: 10/24/2017Modified: 4/28/2026

Also known as:GHSA-f7p5-w2cr-7cp7DEBIAN-CVE-2013-3567

Description

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Affected packages (3)

Debian/puppetfrom 0, < 3.2.2-1
Debian/puppetfrom 0, < 2.6.2-5+squeeze8
RubyGems/puppet>= 2.7.0, < 2.7.22

References (12)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2013-3567
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2013-3567
PATCHhttps://github.com/puppetlabs/puppet
WEBhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
WEBhttp://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
WEBhttp://rhn.redhat.com/errata/RHSA-2013-1283.html
WEBhttp://rhn.redhat.com/errata/RHSA-2013-1284.html
WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml
WEBhttps://puppetlabs.com/security/cve/cve-2013-3567
WEBhttps://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
WEBhttp://www.debian.org/security/2013/dsa-2715
WEBhttp://www.ubuntu.com/usn/USN-1886-1