High severity8.2NVD Advisory· Published Jul 5, 2017· Updated Jun 17, 2026
CVE-2017-2295
CVE-2017-2295
Description
Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
Affected products
9cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*range: <=4.10.0
- (no CPE)range: <4.10.1
- osv-coords5 versionspkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Advanced%20Systems%20Management%2012pkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/puppet&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4
< 3.8.5-15.3.3+ 4 more
- (no CPE)range: < 3.8.5-15.3.3
- (no CPE)range: < 3.8.5-15.3.3
- (no CPE)range: < 3.8.5-15.3.3
- (no CPE)range: < 2.7.26-0.5.3.1
- (no CPE)range: < 2.7.26-0.5.3.1
- Range: Puppet prior to 4.10.1
Patches
Vulnerability mechanics
References
3- www.debian.org/security/2017/dsa-3862nvdThird Party Advisory
- www.securityfocus.com/bid/98582nvdThird Party AdvisoryVDB Entry
- puppet.com/security/cve/cve-2017-2295nvdVendor Advisory
News mentions
0No linked articles in our index yet.