Critical severity9.0NVD Advisory· Published Jun 30, 2017· Updated May 13, 2026

CVE-2017-2292

Description

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

Affected products

Puppet (software)/Mcollective
cpe:2.3:a:puppet:mcollective:*:*:*:*:*:puppet:*:*
Range: <=2.10.3
Puppet/mcollective, Puppet, Puppet Enterprisev5
Range: Puppet Enterprise prior to 2016.4.5, Puppet Enterprise 2016.5.x, Puppet Enterprise 2017.1.x, Puppet Agent prior to 1.10.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

puppet.com/security/cve/cve-2017-2292nvdVendor Advisory
security.gentoo.org/glsa/201709-01nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000