Download
| Alert*
oval:org.secpod.oval:def:1600282
Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call. oval:org.secpod.oval:def:601063 It was discovered that puppet, a centralized configuration management system, did not correctly handle YAML payloads. A remote attacker could use a specially-crafted payload to execute arbitrary code on the puppet master. oval:org.secpod.oval:def:701340 puppet: Centralized configuration management Puppet could be made to run programs if it received specially crafted network traffic. |