CVE-2013-4957

Published: Oct 25, 2013Modified: Apr 29, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

The dashboard report in Puppet Enterprise before 3.0.1 allows attackers to execute arbitrary YAML code via a crafted report-specific type.

Affected (7)

Products: Puppet: Puppet Enterprise

1 product

Puppet Enterprise

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Puppet Puppet Enterprise	Up to 3.0.0
Puppet Puppet Enterprise	Version 2.5.1
Puppet Puppet Enterprise	Version 2.5.2
Puppet Puppet Enterprise	Version 2.8.0
Puppet Puppet Enterprise	Version 2.8.1
Puppet Puppet Enterprise	Version 2.8.2
Puppet Puppet Enterprise	Version 2.8.3

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (8)

http://osvdb.org/98639

Source: cve@mitre.org

http://puppetlabs.com/security/cve/cve-2013-4957

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/55362

Source: cve@mitre.org

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/88089

Source: cve@mitre.org

http://osvdb.org/98639

Source: af854a3a-2127-422b-91ae-364da2661108

http://puppetlabs.com/security/cve/cve-2013-4957

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/55362

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://exchange.xforce.ibmcloud.com/vulnerabilities/88089

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.