Puppet Mcollective vulnerabilities

CVE-2017-2292 [CRITICAL] CWE-502 CVE-2017-2292: Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, all Versions of MCollective prior to 2.10.4 deserialized YAML from agents without calling safe_load, allowing the potential for arbitrary code execution on the server. The fix for this is to call YAML.safe_load on input. This has been tested in all Puppet-supplied MCollective plugins, but there is a chance that third-party plugins could rely on this ins

CVE-2017-2298 [MEDIUM] CWE-20 CVE-2017-2298: The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a server-specified identifier as part of a path where a file is written. A compromised server could use this to write a file to an arbitrary location on the client with the filename appended with the string "_pub.pem".

CVE-2016-2788 [CRITICAL] CVE-2016-2788: MCollective 2 MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet Enterprise, allows remote attackers to execute arbitrary code via vectors related to the mco ping command.

CVE-2014-3248 [MEDIUM] CVE-2014-3248: Untrusted search path vulnerability in Puppet Enterprise 2 Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, allows local users to gain privileges via a Trojan horse file in the current working directory, as demonstrated using (1) rubygems/defaults/operating_system.rb

CVE-2014-3251 [MEDIUM] CVE-2014-3251: The MCollective aes_security plugin, as used in Puppet Enterprise before 3 The MCollective aes_security plugin, as used in Puppet Enterprise before 3.3.0 and Mcollective before 2.5.3, does not properly validate new server certificates based on the CA certificate, which allows local users to establish unauthorized Mcollective connections via unspecified vectors related to a race condition.

CVE-2014-0164 [LOW] CVE-2014-0164: openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1 openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to obtain credentials and other sensitive information by reading the file.