Critical severity9.0NVD Advisory· Published Jun 30, 2017· Updated Jun 17, 2026
CVE-2017-2292
CVE-2017-2292
Description
Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:puppet:mcollective:*:*:*:*:*:puppet:*:*+ 1 more
- cpe:2.3:a:puppet:mcollective:*:*:*:*:*:puppet:*:*range: <=2.10.3
- (no CPE)range: <2.10.4
- Range: Puppet Enterprise prior to 2016.4.5, Puppet Enterprise 2016.5.x, Puppet Enterprise 2017.1.x, Puppet Agent prior to 1.10.1
Patches
Vulnerability mechanics
References
2- puppet.com/security/cve/cve-2017-2292nvdVendor Advisory
- security.gentoo.org/glsa/201709-01nvd
News mentions
0No linked articles in our index yet.