PT-2017-15332 · Puppet · Puppet Enterprise+1

Publicado

2017-07-05

Atualizado

2022-01-24

CVE-2017-2294

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions prior to 2016.4.5 Puppet Enterprise versions prior to 2017.2.1

Description The issue is related to the handling of MCollective server private keys in Puppet Enterprise. In affected versions, these keys were not marked as sensitive, which could lead to their values being logged and stored in PuppetDB. This was resolved by utilizing the sensitive data type, a feature introduced in Puppet 4.6, to prevent such logging and storage.

Recommendations For versions prior to 2016.4.5, update to version 2016.4.5 or later. For versions prior to 2017.2.1, update to version 2017.2.1 or later.

Correção

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200

Identificadores relacionados

CVE-2017-2294

Produtos afetados

Puppet Enterprise

Puppetdb

PT-2017-15332 · Puppet · Puppet Enterprise+1

CVE-2017-2294

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 4