FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

puppet -- Unauthenticated Remote Code Execution Vulnerability

Affected packages
2.7 <= puppet < 2.7.22
3.0 <= puppet < 3.2.2

Details

VuXML ID b162b218-c547-4ba2-ae31-6fdcb61bc763
Discovery 2013-06-13
Entry 2013-06-22
Modified 2013-08-01

Puppet Developers report:

When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.

References

CVE Name CVE-2013-3567