Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
8.2
CVSSv3

CVE-2017-2295

Published: 05/07/2017 Updated: 24/05/2018
CVSS v2 Base Score: 6 | Impact Score: 6.4 | Exploitability Score: 6.8
CVSS v3 Base Score: 8.2 | Impact Score: 5.8 | Exploitability Score: 1.8
VMScore: 534
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P
Subscribe to Puppet

Vulnerability Summary

Versions of Puppet before 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Vulnerable Product Search on Vulmon Subscribe to Product

puppet puppet

debian debian linux 8.0

Vendor Advisories

Red Hat: Important: Satellite 6.3 security, bug fix, and enhancement update
Synopsis Important: Satellite 63 security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat SatelliteRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) ...
Debian CVElist Bug Report Logs: puppet: CVE-2017-2295: unsafe YAML deserialization
Debian Bug report logs - #863212 puppet: CVE-2017-2295: unsafe YAML deserialization Package: src:puppet; Maintainer for src:puppet is Puppet Package Maintainers <pkg-puppet-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 23 May 2017 17:15:02 UTC Severity: grave Tags: p ...
Ubuntu Security Notice: puppet vulnerabilities
Several security issues were fixed in Puppet ...
Amazon Linux AMI: ALAS-2017-849
Unsafe YAML deserialization:Versions of Puppet prior to 4101 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution This change constrains the format of data on the wire to PSO ...
Red Hat: CVE-2017-2295
Versions of Puppet prior to 4101 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution This change constrains the format of data on the wire to PSON or safely decoded YAML ...

References

CWE-502https://puppet.com/security/cve/cve-2017-2295http://www.securityfocus.com/bid/98582http://www.debian.org/security/2017/dsa-3862https://access.redhat.com/errata/RHSA-2018:0336https://usn.ubuntu.com/3308-1/https://nvd.nist.gov
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
remote code executionCVE-2024-34909CVE-2024-3317SSTICVE-2024-3400CVE-2024-30051wirelessCVE-2024-4622CVE-2024-4908
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook