Platform
ruby
Component
puppet
Fixed in
2.7.22
CVE-2013-3567 is a remote code execution (RCE) vulnerability affecting Puppet configuration management software. This flaw allows attackers to execute arbitrary code by crafting malicious REST API calls that exploit insecure deserialization of YAML data. The vulnerability impacts Puppet versions 2.7.x before 2.7.22, 3.2.x before 3.2.2, and Puppet Enterprise versions before 2.8.2. A fix is available in Puppet 2.7.22 and later.
The impact of CVE-2013-3567 is severe. A successful exploit allows an attacker to gain complete control over the Puppet master server. This can lead to unauthorized access to sensitive data, modification of configuration settings, and potentially, complete compromise of the managed infrastructure. Attackers could leverage this vulnerability to install malware, steal credentials, or disrupt services. The ability to execute arbitrary code on the Puppet master effectively grants the attacker the same privileges as the Puppet master process, providing a wide attack surface. This vulnerability shares similarities with other deserialization vulnerabilities, where untrusted data is processed without proper validation, leading to code execution.
CVE-2013-3567 was publicly disclosed in 2017. While no active exploitation campaigns have been definitively linked to this specific CVE, the nature of RCE vulnerabilities makes them attractive targets for attackers. Public proof-of-concept exploits are available, demonstrating the feasibility of exploitation. It is not listed on the CISA KEV catalog as of this writing. The vulnerability's age and the availability of exploits suggest that it remains a potential risk, particularly for systems running older, unpatched Puppet versions.
Exploit Status
EPSS
6.46% (91% percentile)
The primary mitigation for CVE-2013-3567 is to upgrade Puppet to version 2.7.22 or later. If upgrading immediately is not possible, consider restricting access to the Puppet REST API to trusted networks and users. Implement strict input validation on all data received via the REST API to prevent malicious YAML payloads from being processed. Additionally, review and audit existing Puppet code for any potential vulnerabilities related to data serialization and deserialization. After upgrading, confirm the fix by attempting to trigger the vulnerable REST API endpoint with a known malicious YAML payload; it should now be rejected.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2013-3567 is a remote code execution vulnerability in Puppet versions ≤2.7.9 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2. It allows attackers to execute arbitrary code via crafted REST API calls.
You are affected if you are running Puppet versions 2.7.x before 2.7.22, 3.2.x before 3.2.2, or Puppet Enterprise before 2.8.2.
Upgrade Puppet to version 2.7.22 or later. Restrict access to the Puppet REST API and validate all input data.
While no confirmed active campaigns are publicly known, the vulnerability's nature and the availability of PoCs suggest it remains a potential risk.
Refer to the Puppet security advisory: https://puppet.com/security/advisories/puppet-security-advisory-2017-0007
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.