High severity8.2NVD Advisory· Published Jul 5, 2017· Updated May 13, 2026

CVE-2017-2295

Description

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Affected products

Puppet (software)/Puppet
cpe:2.3:a:puppet:puppet:*:*:*:*:*:*:*:*
Range: <=4.10.0
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Puppet/Puppet serverv5
Range: Puppet prior to 4.10.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.debian.org/security/2017/dsa-3862nvdThird Party Advisory
www.securityfocus.com/bid/98582nvdThird Party AdvisoryVDB Entry
puppet.com/security/cve/cve-2017-2295nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000