Information disclosure in Puppet Enterprise - CVE-2015-7328
Published: January 8, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40539
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-7328
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Puppet Labs
Affected software:
Puppet Enterprise
Puppet Enterprise
Detailed vulnerability description
The vulnerability allows a local authenticated user to gain access to sensitive information.
Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors.
How to mitigate CVE-2015-7328
Install update from vendor's website.