CVE-2017-2293

Name of the Vulnerable Software and Affected Versions: Puppet Enterprise versions prior to 2016.4.5 Puppet Enterprise versions prior to 2017.2.1

Description: The issue concerns a configuration in MCollective that allows the package plugin to install or remove arbitrary packages on all managed agents. This configuration poses a risk as it can be exploited to compromise the security of the system. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations: For versions prior to 2016.4.5, update to version 2016.4.5 or later to resolve the issue. For versions prior to 2017.2.1, update to version 2017.2.1 or later to resolve the issue. As a temporary workaround, consider changing the default policy to not allow the package plugin to install or remove arbitrary packages on all managed agents.