CVE-2017-2292
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-2292
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-2292.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-2292
- Related
- Published
- 2017-06-30T20:29:00Z
- Modified
- 2025-01-08T04:41:59.718241Z
- Severity
-
- 9.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safeload, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safeload on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
- References
Affected packages
Debian:11 / mcollective
Package
- Name
- mcollective
- Purl
- pkg:deb/debian/mcollective?arch=source
Debian:12 / mcollective
Package
- Name
- mcollective
- Purl
- pkg:deb/debian/mcollective?arch=source
Git / github.com/puppetlabs/marionette-collective
Affected ranges
- Type
- GIT
- Repo
- https://github.com/puppetlabs/marionette-collective
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
0.*
0.4.10
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
2.*
2.0.0
2.1.0
2.1.1
2.10.0
2.10.1
2.10.2
2.10.3
2.2.0
2.3.0
2.3.1
2.3.2
2.3.3
2.4.0
2.4.0-rc1
2.4.0-rc2
2.4.1
2.5.0
2.5.0-rc1
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.7.0
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0
2.9.1