Overview

CVE-2017-2290 - Privilege Escalation in mcollective-puppet-agent

  • Posted: March 1, 2017

  • Assessed Risk Level: High

  • CVSS 3 Base Score: 8.8

On windows installations of the mcollective-puppet-agent plugin, a non-administrator user can create an executable that will be executed with administrator privileges on the next `mco puppet` run if `plugin.puppet.command` hasn't been set. Puppet Enterprise users are not affected. This is resolved in mcollective-puppet-agent 1.12.1

Status:

Affected software versions:

  • mcollective-puppet-agent 1.12.0

Resolved in:

  • mcollective-puppet-agent 1.12.1