CVE-2017-2292 — Deserialization of Untrusted Data in Mcollective

CWE-502 — Deserialization of Untrusted Data11 documents8 sources

Severity

9.0CRITICALNVD

EPSS

1.8%

top 17.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Mcollective

Timeline

PublishedJun 30

Latest updateMay 17

Description

Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this insecure behavior.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:LExploitability: 2.3 | Impact: 6.0

Affected Packages2 packages

▶Debianpuppet/mcollective< 2.12.0+dfsg-1+1

▶NVDpuppet/mcollective2.10.3

🔴Vulnerability Details

GHSA

GHSA-9hgj-f7f3-cph7: Versions of MCollective prior to 2↗2022-05-17

▶

OSV

CVE-2017-2292: Versions of MCollective prior to 2↗2017-06-30

▶

CVEList

CVE-2017-2292: Versions of MCollective prior to 2↗2017-06-30

▶

💥Exploits & PoCs

Exploit-DB

PyroBatchFTP 3.17 - Buffer Overflow (SEH)↗2017-10-07

▶

📋Vendor Advisories

Red Hat

mcollective: RCE via YAML deserialization↗2017-05-11

▶

Debian

CVE-2017-2292: mcollective - Versions of MCollective prior to 2.10.4 deserialized YAML from agents without ca...↗2017

▶

💬Community

Bugzilla

CVE-2017-2292 mcollective: RCE via YAML deserialization↗2017-07-12

▶

Bugzilla

CVE-2017-2292 mcollective: RCE via YAML deserialization [epel-6]↗2017-07-12

▶

Bugzilla

CVE-2017-2292 mcollective: RCE via YAML deserialization [fedora-all]↗2017-07-12

▶

Bugzilla

CVE-2017-7507 gnutls: Crash upon receiving well-formed status_request extension↗2017-05-23

▶