Main Vulnerability Database Vulnerabilities #VU37571

Input validation error in Puppet Agent - CVE-2017-2293

Published: February 1, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37571

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2293

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Puppet Labs

Affected software:
Puppet Agent

Detailed vulnerability description

The vulnerability allows a remote privileged user to manipulate data.

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.

How to mitigate CVE-2017-2293

Install update from vendor's website.

Sources

https://puppet.com/security/cve/cve-2017-2293

Input validation error in Puppet Agent - CVE-2017-2293

Detailed vulnerability description

How to mitigate CVE-2017-2293

Sources

Please verify you're human