CVE-2017-2295

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Published: Jul 5, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-2295
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.2
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6
AV:N/AC:M/Au:S/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
puppet / puppet	-	4.10.0.x
debian / debian_linux	8.0	8.0.x

http://www.debian.org/security/2017/dsa-3862
http://www.securityfocus.com/bid/98582
https://puppet.com/security/cve/cve-2017-2295

Vulnerability Database

289,782

CVE-2017-2295