Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-7483

YAML.load can be called on arbitrary input

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • PUP 4.10.1
    • None
    • None
    • Agent
    • 3
    • CVE-2017-2295
    • Agent 2017-05-03
    • Security Fix
    • An authenticated agent could make a catalog request with facts encoded in YAML. The puppetmaster/server did not properly validate and reject the request, resulting in the server loading arbitrary objects, which could lead to remote code execution.
    • Automate
    • Security risk, but easily tested

    Description

      The compiler will extract facts from the POST, and will deserialize using whatever format the user specifies. As a result, an attacker with a valid agent cert can cause the master to execute YAML.load on user specified input.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              josh Josh Cooper
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support