QwikSec

Security Database

CVE

CWE

Training

CVE-2017-2298

Published: Jun 30, 2017

Modified: Sep 16, 2024

PUBLISHED

Description

The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem".

Vendor	Product	Versions
Puppet	mcollective	affected `< 0.5.1`

References

https://github.com/puppetlabs/mcollective-sshkey-security/blob/0.5.1/CHANGELOG.md

x_refsource_CONFIRM

https://puppet.com/security/cve/cve-2017-2298

x_refsource_CONFIRM

https://github.com/puppetlabs/mcollective-sshkey-security/commit/3388a3109f4fb1c69fa8505e991bf59ca20d19a2

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.