[PUP-7483] YAML.load can be called on arbitrary input - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 4.10.1
Component/s: None
Labels:
None

Team:
Agent
Story Points:
3
CVE-ID:
CVE-2017-2295
Sprint:
Agent 2017-05-03

Release Notes:
Security Fix
Release Notes Summary:
An authenticated agent could make a catalog request with facts encoded in YAML. The puppetmaster/server did not properly validate and reject the request, resulting in the server loading arbitrary objects, which could lead to remote code execution.

QA Risk Assessment:
Automate
QA Risk Assessment Reason:
Security risk, but easily tested

Description

The compiler will extract facts from the POST, and will deserialize using whatever format the user specifies. As a result, an attacker with a valid agent cert can cause the master to execute YAML.load on user specified input.

Attachments

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Josh Cooper

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2017/04/28 11:50 AM

Updated:: 2017/10/06 2:35 PM

Resolved:: 2017/05/01 1:41 PM