Information disclosure in Puppet Agent - CVE-2017-2294
Published: July 5, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU38793
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-2294
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Agent
Puppet Agent
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.
How to mitigate CVE-2017-2294
Install update from vendor's website.