Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| puppet(RubyGems) | 2.7.0 | 2.7.22 | N/A |
| puppet(RubyGems) | 3.2.0 | 3.2.2 | N/A |
CVSS Metrics
