CVE-2013-3567
puppet - code execution
EPSS 5.8%
Description
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
How to fix CVE-2013-3567
To remediate CVE-2013-3567, upgrade the affected package to a fixed version below.
- Debian/puppet—upgrade to 3.2.2-1 or later
- Debian/puppet—upgrade to 2.6.2-5+squeeze8 or later
- RubyGems/puppet—upgrade to 2.7.22 or later
Is CVE-2013-3567 being exploited?
Moderate — EPSS is 5.8%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 3.2.2-1
- from 0, < 2.6.2-5+squeeze8
- >= 2.7.0, < 2.7.22