PT-2020-19863 · Puppet+1 · Puppet Enterprise+3

Published

2020-03-11

·

Updated

2025-04-01

·

CVE-2020-7943

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Puppet Enterprise versions prior to 2018.1.13 Puppet Enterprise versions prior to 2019.5.0 Puppet Server versions prior to 6.9.2 Puppet Server versions prior to 5.3.12 PuppetDB versions prior to 6.9.1 PuppetDB versions prior to 5.2.13
Description The metrics API endpoints in Puppet Server and PuppetDB previously exposed sensitive information, including hostnames, resource names, titles for defined types, function names, and class names, to the local network. This issue has been resolved in newer versions.
Recommendations For Puppet Enterprise versions prior to 2018.1.13, update to version 2018.1.13 or later. For Puppet Enterprise versions prior to 2019.5.0, update to version 2019.5.0 or later. For Puppet Server versions prior to 6.9.2, update to version 6.9.2 or later. For Puppet Server versions prior to 5.3.12, update to version 5.3.12 or later. For PuppetDB versions prior to 6.9.1, update to version 6.9.1 or later. For PuppetDB versions prior to 5.2.13, update to version 5.2.13 or later.

Fix

Incorrect Default Permissions

Weakness Enumeration

CWE-276

Related Identifiers

ALT-PU-2020-3248
ALT-PU-2020-3249
ALT-PU-2020-3290
ALT-PU-2020-3291
ALT-PU-2025-3862
CVE-2020-7943
RHSA-2020:4366

Affected Products

Alt Linux
Puppet Enterprise
Puppet Server
Puppetdb