漏洞类别:Local
.漏洞等级: 
漏洞信息
Puppet is IT automation software that helps system administrators manage infrastructure throughout its lifecycle, from provisioning and configuration to orchestration and reporting.
When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload.
Affected Versions:
All versions prior to Puppet 2.7.22, 3.2.2
All versions prior to Puppet Enterprise 2.8.2
漏洞危害
Successful exploitation of the vulnerability allows an attacker to execute arbitrary code in the context of logged in user.
解决方案
Updates to fix these vulnerability are available and its advised to upgrade to the latest version of the software. The latest version can be downloaded from here.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论