Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: puppet

Published: 2017-07-05T15:00:00Z

Updated: 2024-09-16T20:43:40.186Z

Reserved: 2016-12-01T00:00:00

Link: CVE-2017-2295

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-07-05T15:29:00.207

Modified: 2024-11-21T03:23:13.763

Link: CVE-2017-2295

cve-icon Redhat

Severity : Important

Publid Date: 2017-05-11T00:00:00Z

Links: CVE-2017-2295 - Bugzilla