CVE-2017-2295

Опубликовано: 11 мая 2017

Источник: redhat

CVSS3: 8.1

EPSS Низкий

Описание

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Ceph Storage 1.3	puppet	Will not fix
Red Hat Enterprise Linux OpenStack Platform 5 (Icehouse)	puppet	Will not fix
Red Hat Enterprise Linux OpenStack Platform 6 (Juno)	puppet	Will not fix
Red Hat Enterprise Linux OpenStack Platform 6 (Juno) Installer	puppet	Will not fix
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)	puppet	Will not fix
Red Hat OpenStack Platform 10 (Newton)	puppet	Will not fix
Red Hat OpenStack Platform 11 (Ocata)	puppet	Will not fix
Red Hat OpenStack Platform 12 (Pike)	puppet	Will not fix
Red Hat OpenStack Platform 8 (Liberty)	puppet	Will not fix
Red Hat OpenStack Platform 9 (Mitaka)	puppet	Will not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-502

https://bugzilla.redhat.com/show_bug.cgi?id=1452651puppet: Unsafe YAML deserialization

EPSS

Процентиль: 83%

0.02026

Низкий

8.1 High

CVSS3

Связанные уязвимости

CVE-2017-2295

CVSS3: 8.2

ubuntu

больше 8 лет назад

CVE-2017-2295

CVSS3: 8.2

nvd

больше 8 лет назад

CVE-2017-2295

CVSS3: 8.2

debian

больше 8 лет назад

Versions of Puppet prior to 4.10.1 will deserialize data off the wire ...

openSUSE-SU-2017:1948-1

suse-cvrf

больше 8 лет назад

Security update for rubygem-puppet

SUSE-SU-2018:0600-1

suse-cvrf

почти 8 лет назад

Security update for puppet

EPSS

Процентиль: 83%

0.02026

Низкий

8.1 High

CVSS3