CVE-2013-3567

Sažetak

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Reference

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
http://rhn.redhat.com/errata/RHSA-2013-1283.html
http://rhn.redhat.com/errata/RHSA-2013-1284.html
http://secunia.com/advisories/54429
http://www.debian.org/security/2013/dsa-2715
http://www.ubuntu.com/usn/USN-1886-1
https://puppetlabs.com/security/cve/cve-2013-3567/

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

10-07-2019 - 18:10

Objavljeno

19-08-2013 - 23:55