CVE-2017-2298

Name of the Vulnerable Software and Affected Versions mcollective-sshkey-security plugin versions prior to 0.5.1

Description The issue allows a compromised server to write a file to an arbitrary location on the client. This is achieved by using a server-specified identifier as part of a path where a file is written, with the filename appended with the string " pub.pem".

Recommendations For versions prior to 0.5.1, update to version 0.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the mcollective-sshkey-security plugin to minimize the risk of exploitation.