CVE-2013-3567

NameCVE-2013-3567
DescriptionPuppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDSA-2715-1
Debian Bugs712745

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
puppet (PTS)buster5.5.10-4fixed
bullseye5.5.22-2fixed
bookworm, sid5.5.22-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
puppetsourcesqueeze2.6.2-5+squeeze8DSA-2715-1
puppetsourcewheezy2.7.18-5DSA-2715-1
puppetsource(unstable)3.2.2-1712745

Search for package or bug name: Reporting problems