Modernizing Authentication — What It Takes to Transform Secure Access
"When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object," the notice explains. "A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload."
Users are advised to update to Puppet 2.7.22, Puppet 3.2.2, or Puppet Enterprise 2.8.2 to patch the vulnerability.
The flaw, CVE-2013-3567, was discovered and disclosed by Ben Murphy.