PT-2017-15333 · Puppet+2 · Puppet+2

Publicado

2017-05-25

Atualizado

2021-03-15

CVE-2017-2295

CVSS v3.1

8.2

Alta

Vetor

AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Puppet versions prior to 4.10.1

Description The issue allows an attacker to force YAML deserialization in an unsafe manner, potentially leading to remote code execution. This is due to the deserialization of data from the agent to the server without proper format constraints.

Recommendations For versions prior to 4.10.1, update to version 4.10.1 or later to constrain the format of data on the wire to PSON or safely decoded YAML, preventing unsafe YAML deserialization.

Correção

RCE

Deserialization of Untrusted Data

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-502

Identificadores relacionados

CVE-2017-2295

DLA-1012-1

DSA-3862-1

MGASA-2017-0156

OPENSUSE-SU-2017_1948-1

RHSA-2018:0336

SUSE-SU-2017:2113-1

SUSE-SU-2017_2113-1

SUSE-SU-2018:0600-1

SUSE-SU-2018_0600-1

USN-3308-1

USN-4804-1

Produtos afetados

Puppet

Suse

Ubuntu

PT-2017-15333 · Puppet+2 · Puppet+2

CVE-2017-2295

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 41