CVE-2013-3567 Information

Description

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2 and Puppet Enterprise before 2.8.2 deserializes untrusted YAML which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Reference

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html http://rhn.redhat.com/errata/RHSA-2013-1283.html http://rhn.redhat.com/errata/RHSA-2013-1284.html http://secunia.com/advisories/54429 http://www.debian.org/security/2013/dsa-2715 http://www.ubuntu.com/usn/USN-1886-1 https://puppetlabs.com/security/cve/cve-2013-3567/