CVE-2015-7328

MEDIUM

Puppet Enterprise - Exposure of Sensitive Information via World-Readable CA Private Key

Title source: llm
STIX 2.1

Description

Puppet Server in Puppet Enterprise before 3.8.x before 3.8.3 and 2015.2.x before 2015.2.3 uses world-readable permissions for the private key of the Certification Authority (CA) certificate during the initial installation and configuration, which might allow local users to obtain sensitive information via unspecified vectors.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://puppetlabs.com/security/cve/cve-2015-7328

Scores

CVSS v3 4.7
EPSS 0.0017
EPSS Percentile 7.0%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (6)
puppet/puppet_enterprise 3.8.0
puppet/puppet_enterprise 3.8.1
puppet/puppet_enterprise 3.8.2
puppet/puppet_enterprise 2015.2.0
puppet/puppet_enterprise 2015.2.1
puppet/puppet_enterprise 2015.2.2
Published Jan 08, 2016
Tracked Since Feb 18, 2026