CVE-2017-2293

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped with an MCollective configuration that allowed the package plugin to install or remove arbitrary packages on all managed agents. This release adds default configuration to not allow these actions. Customers who rely on this functionality can change this policy.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.9 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
puppetCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 45%
VendorProductVersion
puppetpuppet_enterprise
𝑥
< 2016.4.5
puppetpuppet_enterprise
2016.5.1
puppetpuppet_enterprise
2016.5.2
puppetpuppet_enterprise
2017.1.0
puppetpuppet_enterprise
2017.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puppet
bullseye
5.5.22-2
fixed
References
https://puppet.com/security/cve/cve-2017-2293
https://puppet.com/security/cve/cve-2017-2293