CVE-2017-2295

HIGH

Puppet <4.10.1 - Code Injection

Title source: llm

Description

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

References (3)

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3862

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/98582

[Vendor Advisory] https://puppet.com/security/cve/cve-2017-2295

Scores

CVSS v3 8.2

EPSS 0.0189

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Classification

CWE

CWE-502

Status draft

Affected Products (2)

puppet/puppet < 4.10.0

debian/debian_linux

Timeline

Published Jul 05, 2017

Tracked Since Feb 18, 2026