CVE-2020-7942

Name of the Vulnerable Software and Affected Versions Puppet versions prior to 6.13.0 Puppet Agent versions prior to 6.13.0 Puppet versions 5.5.x prior to 5.5.19 Puppet Agent versions 5.5.x prior to 5.5.19

Description The issue is related to errors in the certificate authentication procedure, allowing a remote attacker to gain unauthorized access to protected information. Previously, Puppet operated on a model where a node with a valid certificate was entitled to all information in the system, and a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the default node, the catalog can be retrieved for a different node by modifying facts for the Puppet run.

Recommendations For Puppet versions prior to 6.13.0, set strict hostname checking = true in puppet.conf on your Puppet master to ensure secure behavior. For Puppet Agent versions prior to 6.13.0, set strict hostname checking = true in puppet.conf on your Puppet master to ensure secure behavior. For Puppet versions 5.5.x prior to 5.5.19, set strict hostname checking = true in puppet.conf on your Puppet master to ensure secure behavior. For Puppet Agent versions 5.5.x prior to 5.5.19, set strict hostname checking = true in puppet.conf on your Puppet master to ensure secure behavior.