Lucene search

[email protected]NVD:CVE-2013-3567

HistoryAug 19, 2013 - 11:55 p.m.

CVE-2013-3567

2013-08-1923:55:08

CWE-20

[email protected]

web.nvd.nist.gov

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.223 Low

EPSS

Percentile

96.5%

JSON

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Affected configurations

NVD

Node

puppetpuppetMatch2.7.2

puppetpuppetMatch2.7.10

puppetpuppetMatch2.7.11

puppetpuppetMatch2.7.12

puppetpuppetMatch2.7.13

puppetpuppetMatch2.7.14

puppetpuppetMatch2.7.16

puppetpuppetMatch2.7.17

puppetpuppetMatch2.7.18

puppetpuppetMatch2.7.21

puppetpuppetMatch3.2.1

puppetlabspuppetMatch2.7.0

puppetlabspuppetMatch2.7.1

puppetlabspuppetMatch2.7.19

puppetlabspuppetMatch2.7.20

puppetlabspuppetMatch2.7.20rc1

puppetlabspuppetMatch3.2.0

Node

canonicalubuntu_linuxMatch12.04-lts

canonicalubuntu_linuxMatch12.10

canonicalubuntu_linuxMatch13.04

Node

novellsuse_linux_enterprise_desktopMatch11sp3

novellsuse_linux_enterprise_desktopMatch11.0sp2

novellsuse_linux_enterprise_serverMatch11.0sp2vmware

novellsuse_linux_enterprise_serverMatch11.0sp3

novellsuse_linux_enterprise_serverMatch11.0sp3vmware

Node

puppetpuppet_enterpriseRange≤2.8.1

puppetpuppet_enterpriseMatch1.0

puppetpuppet_enterpriseMatch1.1

puppetpuppet_enterpriseMatch1.2.0

puppetpuppet_enterpriseMatch2.0.0

puppetpuppet_enterpriseMatch2.5.1

puppetpuppet_enterpriseMatch2.5.2

puppetpuppet_enterpriseMatch2.8.0

puppetlabspuppetMatch1.0.0-enterprise

puppetlabspuppetMatch1.1.0-enterprise

puppetlabspuppetMatch1.2.0-enterprise

puppetlabspuppetMatch2.5.0-enterprise

puppetlabspuppetMatch2.6.0-enterprise

puppetlabspuppetMatch2.7.0-enterprise

puppetlabspuppetMatch2.7.1-enterprise

puppetlabspuppetMatch2.7.2-enterprise

References

lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html

lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html

rhn.redhat.com/errata/RHSA-2013-1283.html

rhn.redhat.com/errata/RHSA-2013-1284.html

secunia.com/advisories/54429

www.debian.org/security/2013/dsa-2715

www.ubuntu.com/usn/USN-1886-1

puppetlabs.com/security/cve/cve-2013-3567/

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

7.3 High

AI Score

Confidence

Low

0.223 Low

EPSS

Percentile

96.5%

JSON

Related for NVD:CVE-2013-3567

openvas10 cvelist1 nessus10 securityvulns1 amazon1 cve1 freebsd1 suse2 veracode1 prion1 ubuntu1 mageia1 osv1 debian1 ubuntucve1 debiancve1 github1 redhat2 gentoo1