PT-2017-15332 · Puppet · Puppet Enterprise+1

Published

2017-07-05

Updated

2022-01-24

CVE-2017-2294

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions prior to 2016.4.5 Puppet Enterprise versions prior to 2017.2.1

Description The issue is related to the handling of MCollective server private keys in Puppet Enterprise. In affected versions, these keys were not marked as sensitive, which could lead to their values being logged and stored in PuppetDB. This was resolved by utilizing the sensitive data type, a feature introduced in Puppet 4.6, to prevent such logging and storage.

Recommendations For versions prior to 2016.4.5, update to version 2016.4.5 or later. For versions prior to 2017.2.1, update to version 2017.2.1 or later.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-2294

Affected Products

Puppet Enterprise

Puppetdb

PT-2017-15332 · Puppet · Puppet Enterprise+1

CVE-2017-2294

Weakness Enumeration

Related Identifiers

Affected Products

References · 4