Description
The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem".
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/puppetlabs/mcollective-sshkey-security/blob/0.5.1/CHANGELOG.md
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://puppet.com/security/cve/cve-2017-2298
Third Party Advisory x_refsource_confirm
https://github.com/puppetlabs/mcollective-sshkey-security/commit/3388a3109f4fb1c69fa8505e991bf59ca20d19a2
Scores
CVSS v3
6.5
EPSS
0.0149
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (2)
Puppet/mcollective
< 0.5.1
puppet/mcollective-sshkey-security
< 0.5.0
Published
Jun 30, 2017
Tracked Since
Feb 18, 2026