CVE-2017-2295

HIGH Year: 2017
CVSS v3 Score
8.2
High
CVSS v2 Score
6.0
Medium
Weakness Type
CWE-502
View all →

Vulnerability Description

Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution. This change constrains the format of data on the wire to PSON or safely decoded YAML.

Related Vulnerabilities

CVE-2021-21956

HIGH
CVSS:8.2(High)

A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attac...

CWE-5022021

CVE-2016-10750

HIGH
CVSS:8.1(High)

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest...

CWE-5022016

CVE-2017-1000034

HIGH
CVSS:8.1(High)

Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

CWE-5022017

CVE-2017-1000053

HIGH
CVSS:8.1(High)

Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to arbitrary code execution in the deserialization functions of Plug.Session.

CWE-5022017

CVE-2017-3199

HIGH
CVSS:8.1(High)

The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deserializers derives class instances from java.io.Externalizable rather than the AMF3 specification's recommendation of flash.utils.IExter...

CWE-5022017

CVE-2017-3201

HIGH
CVSS:8.1(High)

The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0 derives class instances from java.io.Externalizable rather than the AMF3 specification's recommen...

CWE-5022017