Your submission was sent successfully! Close

CVE-2017-2295

Published: 25 May 2017

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Priority

Medium

CVSS 3 base score: 8.2

Status

Package Release Status
puppet
Launchpad, Ubuntu, Debian
artful Not vulnerable
(4.8.2-5ubuntu1)
bionic Not vulnerable
(4.8.2-5ubuntu1)
cosmic Not vulnerable
(4.8.2-5ubuntu1)
disco Not vulnerable
(4.8.2-5ubuntu1)
eoan Not vulnerable
(4.8.2-5ubuntu1)
focal Not vulnerable
(4.8.2-5ubuntu1)
groovy Not vulnerable
(4.8.2-5ubuntu1)
hirsute Not vulnerable
(4.8.2-5ubuntu1)
impish Not vulnerable
(4.8.2-5ubuntu1)
jammy Not vulnerable
(4.8.2-5ubuntu1)
precise Does not exist

trusty
Released (3.4.3-1ubuntu1.2)
upstream
Released (4.8.2-5)
xenial Ignored
(end of standard support, was needed)
yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea