Lucene search
PuppetCVELIST:CVE-2017-2292HistoryMay 11, 2017 - 12:00 a.m.
CVE-2017-2292
2017-05-1100:00:00
puppet
www.cve.org
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
CNA Affected
[
{
"product": "mcollective, Puppet, Puppet Enterprise",
"vendor": "Puppet",
"versions": [
{
"status": "affected",
"version": "Puppet Enterprise prior to 2016.4.5, Puppet Enterprise 2016.5.x, Puppet Enterprise 2017.1.x, Puppet Agent prior to 1.10.1"
}
]
}
]Related
osv
osv
CVE-2017-2292
2017-06-30 20:29:00
nvd
nvd
CVE-2017-2292
2017-06-30 20:29:00
redhatcve
redhatcve
CVE-2017-2292
2017-07-12 11:50:01
debiancve
debiancve
CVE-2017-2292
2017-06-30 20:29:00
gentoo
gentoo
MCollective: Remote Code Execution
2017-09-04 00:00:00
nessus
nessus
GLSA-201709-01 : MCollective: Remote Code Execution
2017-09-05 00:00:00
Puppet Enterprise < 2016.4.5 / 2016.5.x / 2017.1.x Multiple Vulnerabilities
2019-10-09 00:00:00
veracode
veracode
Remote Code Execution (RCE) Through YAML Deserialization
2017-07-03 01:13:13
cve
cve
CVE-2017-2292
2017-06-30 20:29:00
prion
prion
Code injection
2017-06-30 20:29:00
ubuntucve
ubuntucve
CVE-2017-2292
2017-06-30 00:00:00
openvas
openvas
Puppet Enterprise < 2016.4.5, 2016.5.x < 2017.2.1 Multiple Vulnerabilities
2017-07-06 00:00:00