SecurityHome.eu Security vulnerability: Puppet Remote Code Execution

Home / vulnerabilities PDF

Puppet Remote Code Execution
Posted on 19 June 2013
Source : packetstormsecurity.org Link

Overview
CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability)
Posted June 18, 2013

When making REST api calls, the puppet master takes YAML from an untrusted
client, deserializes it, and then calls methods on the resulting object. A YAML
payload can be crafted to cause the deserialization to construct an instance of
any class available in the ruby process, which allows an attacker to execute
code contained in the payload.
Status

Resolved in Puppet 2.7.22, 3.2.2
Resolved in Puppet Enterprise 2.8.2

Credits

Credit to Ben Murphy for the responsible disclosure of this vulnerability.

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20