CVE-2017-2292

CRITICAL

MCollective <2.10.4 - Code Injection

Title source: llm

Description

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

References (2)

[Vendor Advisory] https://puppet.com/security/cve/cve-2017-2292

[Third Party Advisory] https://security.gentoo.org/glsa/201709-01

Scores

CVSS v3 9.0

EPSS 0.0181

EPSS Percentile 82.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Classification

CWE

CWE-502

Status draft

Affected Products (1)

puppet/mcollective < 2.10.3

Timeline

Published Jun 30, 2017

Tracked Since Feb 18, 2026