CVE-2017-2295

HIGH

Puppet < 4.10.1 - Remote Code Execution via Unsafe YAML Deserialization

Title source: llm

Description

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://puppet.com/security/cve/cve-2017-2295

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2017/dsa-3862

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/98582

Scores

CVSS v3 8.2

EPSS 0.0238

EPSS Percentile 81.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Details

CWE

CWE-502

Status published

Products (3)

debian/debian_linux 8.0

puppet/puppet < 4.10.0

Puppet/Puppet server Puppet prior to 4.10.1

Published Jul 05, 2017

Tracked Since Feb 18, 2026