Back to search
CVE-2017-2292
Published: Jun 30, 2017
Modified: Sep 16, 2024
PUBLISHED
Description
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
| Vendor | Product | Versions |
|---|---|---|
Puppet | mcollective, Puppet, Puppet Enterprise | affected Puppet Enterprise prior to 2016.4.5, Puppet Enterprise 2016.5.x, Puppet Enterprise 2017.1.x, Puppet Agent prior to 1.10.1 |
References
https://puppet.com/security/cve/cve-2017-2292
x_refsource_CONFIRM
GLSA-201709-01
vendor-advisory
x_refsource_GENTOO
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now