PT-2025-39287 · Puppet · Puppet Enterprise
Published
2025-09-24
·
Updated
2025-09-24
·
CVE-2025-10360
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Puppet Enterprise versions 2025.4.0 through 2025.5
Description
The encryption key for the Infra Assistant database was not excluded from Puppet backups in Puppet Enterprise. This key is only present if a Puppet Enterprise Advanced license is active and the Infra Assistant feature is enabled. The key encrypts the API key for the AI provider account within the Infra Assistant database.
Recommendations
Update to Puppet Enterprise version 2025.6.
Follow the remediation steps in the release notes for Puppet Enterprise version 2025.6 if updating is not immediately possible.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Puppet Enterprise