Main Vulnerability Database Vulnerabilities #VU38793

#VU38793 Information disclosure in Puppet Agent - CVE-2017-2294

Published: July 5, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU38793

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-2294

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Puppet Agent

Software vendor:
Puppet Labs

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to mark MCollective server private keys as sensitive (a feature added in Puppet 4.6), so key values could be logged and stored in PuppetDB. These releases use the sensitive data type to ensure this won't happen anymore.

Remediation

Install update from vendor's website.

External links

https://puppet.com/security/cve/cve-2017-2294

#VU38793 Information disclosure in Puppet Agent - CVE-2017-2294

Description

Remediation

External links

Please verify you're human