CVE-2013-3567 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2013-3567?

CVE-2013-3567 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-3567?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppetlabs Puppet, Canonical Ubuntu Linux, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server.

Vulnerability Description

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

CVSS Score

7.5

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Puppet	Puppet	2.7.2
Puppetlabs	Puppet	2.7.0
Canonical	Ubuntu Linux	12.04
Novell	Suse Linux Enterprise Desktop	11
Novell	Suse Linux Enterprise Server	11.0
Puppet	Puppet Enterprise	<= 2.8.1

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2013-3567?

CVE-2013-3567 is a vulnerability with a CVSS score of 7.5 (HIGH). Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbi...

How severe is CVE-2013-3567?

CVE-2013-3567 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-3567?

Check the references section above for vendor advisories and patch information. Affected products include: Puppet Puppet, Puppetlabs Puppet, Canonical Ubuntu Linux, Novell Suse Linux Enterprise Desktop, Novell Suse Linux Enterprise Server.