CVE-2017-2293

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.

Published: Feb 1, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-2293
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.9
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:N/I:P/A:P

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
puppet / puppet_enterprise	2016.5.1	2016.5.1.x
puppet / puppet_enterprise	-	2016.4.5
puppet / puppet_enterprise	2016.5.2	2016.5.2.x
puppet / puppet_enterprise	2017.1.1	2017.1.1.x
puppet / puppet_enterprise	2017.1.0	2017.1.0.x

https://puppet.com/security/cve/cve-2017-2293

Vulnerability Database

289,689

CVE-2017-2293