Bug 1927502 (CVE-2021-27017) - CVE-2021-27017 puppet-agent: Deserialization of untrusted data
Summary: CVE-2021-27017 puppet-agent: Deserialization of untrusted data
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-27017
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1927503 1927504 1927505 1927798 1931485
Blocks: 1927506
TreeView+ depends on / blocked
 
Reported: 2021-02-10 21:02 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
25 users (show)

Fixed In Version: puppet-agent 7.4.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in puppet-agent. Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-10-28 08:46:22 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-10 21:02:05 UTC 
Utilization of a module presented a security risk by allowing the deserialization of untrusted/user supplied data. This is resolved in the Puppet Agent 7.4.0 release.

References:

https://puppet.com/security/cve/CVE-2021-27017/
Comment 1 Pedro Sampaio 2021-02-10 21:02:58 UTC 
Created puppet tracking bugs for this issue:

Affects: epel-7 [bug 1927505]
Affects: fedora-all [bug 1927504]
Affects: openstack-rdo [bug 1927503]
Comment 3 Summer Long 2021-02-19 03:46:48 UTC 
External References:

https://puppet.com/security/cve/CVE-2021-27017
Note You need to log in before you can comment on or make changes to this bug.