VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-kwem-ukrj-9yc9

Vulnerability ID	VCID-kwem-ukrj-9yc9
Aliases	CVE-2013-3567 GHSA-f7p5-w2cr-7cp7
Summary	Puppet Improper Input Validation vulnerability Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-20	Improper Input Validation
CWE-502	Deserialization of Untrusted Data
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
generic_textual	HIGH	http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-1283.html
generic_textual	HIGH	http://rhn.redhat.com/errata/RHSA-2013-1284.html
epss	0.05772	https://api.first.org/data/v1/epss?cve=CVE-2013-3567
cvssv2	9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-f7p5-w2cr-7cp7
generic_textual	HIGH	https://github.com/puppetlabs/puppet
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2013-3567
generic_textual	HIGH	https://puppetlabs.com/security/cve/cve-2013-3567
generic_textual	HIGH	https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
generic_textual	HIGH	http://www.debian.org/security/2013/dsa-2715
generic_textual	HIGH	http://www.ubuntu.com/usn/USN-1886-1

Reference id	Reference type	URL
		http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html
		http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html
		http://rhn.redhat.com/errata/RHSA-2013-1283.html
		http://rhn.redhat.com/errata/RHSA-2013-1284.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-3567.json
		https://api.first.org/data/v1/epss?cve=CVE-2013-3567
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3567
		http://secunia.com/advisories/54429
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/puppetlabs/puppet
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2013-3567.yml
		https://nvd.nist.gov/vuln/detail/CVE-2013-3567
		https://puppetlabs.com/security/cve/cve-2013-3567
		https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability
		http://www.debian.org/security/2013/dsa-2715
		http://www.ubuntu.com/usn/USN-1886-1
712745		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=712745
974649		https://bugzilla.redhat.com/show_bug.cgi?id=974649
CVE-2013-3567		https://puppetlabs.com/security/cve/cve-2013-3567/
GHSA-f7p5-w2cr-7cp7		https://github.com/advisories/GHSA-f7p5-w2cr-7cp7
GLSA-201308-04		https://security.gentoo.org/glsa/201308-04
RHSA-2013:1283		https://access.redhat.com/errata/RHSA-2013:1283
RHSA-2013:1284		https://access.redhat.com/errata/RHSA-2013:1284
USN-1886-1		https://usn.ubuntu.com/1886-1/

No exploits are available.

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Date	Actor	Action	Source	VulnerableCode Version
2026-05-29T08:57:02.504276+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-f7p5-w2cr-7cp7/GHSA-f7p5-w2cr-7cp7.json	38.6.0