PT-2017-15331 · Puppet · Mcollective
Publicado
2017-06-30
·
Atualizado
2017-09-06
·
CVE-2017-2292
CVSS v3.1
9.0
Crítica
| Vetor | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
MCollective versions prior to 2.10.4
Description
The issue allows for potential arbitrary code execution on the server due to the deserialization of YAML from agents without using safe load. This could be exploited if an attacker sends maliciously crafted YAML input.
Recommendations
For versions prior to 2.10.4, update to version 2.10.4 or later to ensure that YAML input is handled securely using YAML.safe load. As a temporary workaround, consider modifying the affected code to use YAML.safe load on input from agents.
Correção
Deserialization of Untrusted Data
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mcollective