Описание
Puppet Improper Input Validation vulnerability
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2013-3567
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml
- https://puppetlabs.com/security/cve/cve-2013-3567
- https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
- http://rhn.redhat.com/errata/RHSA-2013-1283.html
- http://rhn.redhat.com/errata/RHSA-2013-1284.html
- http://www.debian.org/security/2013/dsa-2715
- http://www.ubuntu.com/usn/USN-1886-1
Пакеты
puppet
>= 2.7.0, < 2.7.22
2.7.22
puppet
>= 3.2.0, < 3.2.2
3.2.2
Связанные уязвимости
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterpri ...
