VYPR
Critical severity9.0NVD Advisory· Published Jun 30, 2017· Updated Jun 17, 2026

CVE-2017-2292

CVE-2017-2292

Description

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • cpe:2.3:a:puppet:mcollective:*:*:*:*:*:puppet:*:*+ 1 more
    • cpe:2.3:a:puppet:mcollective:*:*:*:*:*:puppet:*:*range: <=2.10.3
    • (no CPE)range: <2.10.4
  • Range: Puppet Enterprise prior to 2016.4.5, Puppet Enterprise 2016.5.x, Puppet Enterprise 2017.1.x, Puppet Agent prior to 1.10.1

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.