Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7483

YAML.load can be called on arbitrary input

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Critical
          • Resolution: Fixed
          • Affects Version/s: None
          • Fix Version/s: PUP 4.10.1
          • Component/s: None
          • Labels:
            None
          • Template:
          • Team:
            Agent
          • Story Points:
            3
          • CVE-ID:
            CVE-2017-2295
          • Sprint:
            Agent 2017-05-03
          • Release Notes:
            Security Fix
          • Release Notes Summary:
            An authenticated agent could make a catalog request with facts encoded in YAML. The puppetmaster/server did not properly validate and reject the request, resulting in the server loading arbitrary objects, which could lead to remote code execution.
          • QA Risk Assessment:
            Automate
          • QA Risk Assessment Reason:
            Security risk, but easily tested

            Description

            The compiler will extract facts from the POST, and will deserialize using whatever format the user specifies. As a result, an attacker with a valid agent cert can cause the master to execute YAML.load on user specified input.

              Attachments

                Issue Links

                mentioned in

                Page Loading...

                  Activity

                    jsd-sla-details-panel

                      People

                      • Assignee:
                        Unassigned
                        Reporter:
                        josh Josh Cooper
                      • Votes:
                        0 Vote for this issue
                        Watchers:
                        4 Start watching this issue

                        Dates

                        • Created:
                          Updated:
                          Resolved:

                          Zendesk Support