Main Vulnerability Database Vulnerabilities #VU37571

#VU37571 Input validation error in Puppet Agent - CVE-2017-2293

Published: February 1, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU37571

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2293

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Puppet Agent

Software vendor:
Puppet Labs

Description

The vulnerability allows a remote privileged user to manipulate data.

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.

Remediation

Install update from vendor's website.

External links

https://puppet.com/security/cve/cve-2017-2293

#VU37571 Input validation error in Puppet Agent - CVE-2017-2293

Description

Remediation

External links

Please verify you're human